Site Search

Back (see screen at page 12)

Store

Back (see screen at page 12)

About us

Back (see screen at page 12)

PwC Germany

Back (see screen at page 12)

Company Profile

Back (see screen at page 12)

The Territory Leadership Team

Back (see screen at page 12)

Organisational Structure

Back (see screen at page 12)

Analyst Relations

Back (see screen at page 12)

Newsletters

Back (see screen at page 12)

Ethics and Compliance: Information and Helpline

Back (see screen at page 12)

Locations

Back (see screen at page 12)

Berlin

Back (see screen at page 12)

Bielefeld

Back (see screen at page 12)

Bremen

Back (see screen at page 12)

Cologne

Back (see screen at page 12)

Düsseldorf

Back (see screen at page 12)

Erfurt

Back (see screen at page 12)

Essen

Back (see screen at page 12)

Frankfurt

Back (see screen at page 12)

Hamburg

Back (see screen at page 12)

Hanover

Back (see screen at page 12)

Kassel

Back (see screen at page 12)

Kiel

Back (see screen at page 12)

Leipzig

Back (see screen at page 12)

Mannheim

Back (see screen at page 12)

Munich

Back (see screen at page 12)

Nuremberg

Back (see screen at page 12)

Osnabrück

Back (see screen at page 12)

Saarbrücken

Back (see screen at page 12)

Schwerin

Back (see screen at page 12)

Stuttgart

Loading Results

EU Cyber Resilience Act

Your expert for questions

Siri Oberpottkamp
Senior Manager at PwC Germany
Tel: +49 1516 4500068
Email

New requirements for product security

Connected devices and services are playing an increasingly important role in the digital age. With the EU Cyber Resilience Act (CRA), the EU has imposed new cyber security requirements on products with digital elements in order to protect them against cyber attacks and ensure a harmonised approach towards cyber security. Products for which the EU already has relevant cyber security regulations in place are hence excluded from the CRA, one example being automotive products. The CRA came into force with its publication in the Official Journal of the EU on 20th November 2024 and will apply gradually with a transitional period of 36 months. However, from September 2026, product manufacturers will be required to report security incidents. 

Video

CRA in 90 Sekunden

Current Time 0:00
Loaded: 0%
Duration -:-
  • descriptions off, selected
    More tools
    • Full screen
    • Share
    • Closed captions
    0:02:32

    Playback of this video is not currently available
    Transcript

    Product Categories of the Cyber Resilience Act

    The CRA applies to products with digital elements – i.e. products that can establish a direct or indirect connection with other devices or networks. This includes both software and hardware. The key indicator for the applicability of the CRA lies in the fundamental ability of a product to communicate with other products or components.

    The specific obligations for companies depend on the categorisation of the products. The legislator divides products with an increasing security risk into the following categories:

    “Default” products with digital elements

    Smart home systems or industrial IoT sensors belong to this category. It requires an internal conformity check that proves that the cyber security requirements from the CRA are met.

    Important products with digital elements of Class I

    Products in this category such as microprocessors or anti-virus software usually fulfil one of the following conditions: 

    • have a cybersecurity-related function
    • provide a function which carries a significant risk of affecting a large number of other products, 
    • or pose a risk to the security of a large number of people.

    Products subject to this category, require the use of a harmonised standard or, alternatively, external verification of conformity.

    Products of Class I and Class II are both listed in Annex III.

    Important products with digital elements of Class II

    Products such as firewalls or hypervisors require mandatory external conformity assessment. Usually, two or more of the conditions from class I are fulfilled, as these products may pose a higher risk in case of a security incident.

    Critical products with digital elements

    This concerns critical products with digital elements that are part of Annex IV and are used for security purposes in critical infrastructure, such as smart meter gateways or smart cards. A certification system must be applied to provide proof of conformity.

    Do you have any questions about the CRA?

    Feel free to contact us

    Contact us

    What must product manufacturers do now?

    Companies whose products fall into one of the above categories will be forced to ensure that a high level of cyber security is guaranteed throughout the entire product life cycle.

    Even smaller companies that manufacture products with digital elements must ensure that their products fulfil the CRA requirements. Especially when resources are limited, it is important to rely on standardised conformity assessments and security by design at an early stage. SMEs should also check whether they can rely on existing certifications and security solutions. As the EU has recognised the challenges for SMEs, they are receiving additional support, and selected requirements have been adapted for small companies.

    CE labelling for products with digital elements will be linked to conformity with the Cyber Resilience Act. It is crucial to include the security aspect in the development process of new products right from the start. Risk assessments and security-by-design are elementary components here. The product must remain secure during delivery, maintenance and disposal, to ensure the whole life cycle is addressed.

    As a result, potential risks must be comprehensively documented and regularly reviewed. This also applies to product vulnerabilities. Suppose a manufacturer discovers that a hacker has exploited a vulnerability in the software of a smart home system: The manufacturer is obliged to report the vulnerability to the relevant authorities within 24 hours to prevent further damage. In addition, customers must be informed promptly about the incident and notified about available patches.

    This means that manufacturers are responsible for identifying and eliminating security vulnerabilities for the expected service life of a product. This also includes the provision of free security updates.

    In order to meet these requirements, the necessary resources and processes should be established within the organisation in a timely manner. Both technical and procedural measures are to be considered.

    For a holistic approach to product security, find out more about our services here.

    What happens in the event of non-compliance with the Cyber Resilience Act?

    Companies that do not comply with the CRA risk high fines and may no longer be able to place their products on the EU market. In the event of serious violations, penalties of up to €15 million or 2.5% of annual global turnover – whichever is higher – may be imposed. This emphasises the importance of implementing the security requirements early.

    Cyber Resilience Act Asset Library

    Webcast recordings, our latest whitepaper and recommendations for action – all available to download here. Register once for access to all our CRA assets and secure all relevant insights.

    Register here

    Also of interest

    Follow us
    Hide

    Contact us

    Dr Oliver Hanka

    Dr Oliver Hanka

    Partner, Cyber Security & Privacy, PwC Germany

    Tel: +49 160 5105836

    Linkedin Follow Email
    Siri Sophia Oberpottkamp

    Siri Sophia Oberpottkamp

    Senior Manager, Cyber Security & Privacy, PwC Germany

    Tel: +49 1516 4500068

    Linkedin Follow Email
    Offices Contact us

    © 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.