Cyber Resilience Act

Purpose: The Cyber Resilience Act aims to improve the cybersecurity of products with digital elements in the EU market. Its key objectives are to:

• Ensure secure products – Require manufacturers to implement built-in security throughout the product lifecycle.
• Enhance transparency – Introduce clear cybersecurity obligations, including vulnerability management and reporting.
• Harmonize rules – Establish uniform EU-wide security standards, reducing regulatory fragmentation.
• Protect consumers & businesses – Minimize cybersecurity risks by ensuring all products meet baseline security requirements before entering the market.

By reducing cyber risks and increasing trust in digital products, the CRA strengthens overall resilience against cyber threats.

Impact on Norway: As part of the EEA Agreement, Norway and Norwegian businesses must comply with the Cyber Resilience Act, introducing stricter cybersecurity requirements for digital products when the Act enters into force. Norwegian companies developing, importing, or distributing software and hardware must ensure compliance with EU security and vulnerability management standards. While the regulation promotes a more harmonized approach to cybersecurity, it may also increase compliance costs and require ongoing security updates.

Scope: The Cyber Resilience Act applies to manufacturers, importers, and distributors of digital products placed on market. Covered products include:

• Consumer devices: Smart home systems (e.g., smart thermostats, smart locks), wearables (e.g., smartwatches, fitness trackers), and connected toys.
• Industrial and enterprise products: Network routers, industrial control systems, medical devices, and cybersecurity software.
• Software: Operating systems, password managers, and cloud-based applications.

The CRA mandates cybersecurity requirements throughout the product lifecycle, from secure development to vulnerability management. Critical products, such as network infrastructure and industrial control systems, face stricter security obligations due to their higher risk.

the EU

Core obligations: The Cyber Resilience Act establishes cybersecurity obligations for manufacturers, importers, and distributors of digital products. Key obligations include:

• Secure product design & development – Security must be integrated from the design phase and maintained throughout the product lifecycle.
• Vulnerability management – Continuous monitoring, security updates, and mandatory patching of vulnerabilities.
• Incident reporting – Manufacturers must report actively exploited vulnerabilities and security incidents to ENISA within 24 hours.
• Transparency & compliance – Security documentation, risk assessments, and adherence to EU certification standards.
• Market oversight & enforcement – National authorities can impose fines or restrict non-compliant products from the EU market.

The CRA ensures that all digital products meet minimum cybersecurity standards, improving overall cyber resilience across the EU and EEA.