Dr. Henrik Hanssen explains the EU’s Cyber Resilience Act (CRA)

Hello and welcome to our Hogan Lovells video tutorials on digital transformation and law.

My name is Henrik Hanssen. I'm an attorney and counsel in our Hamburg office. In this video, we are going to discuss the European Cyber Resilience Act, "the CRA". We will look at its scope and key obligations and what it means for companies. The CRA is a new key element of the cybersecurity

legislation in the EU. Its primary purpose is to reduce the cybersecurity risks that result from the ever increasing use of digital products. Put simply, the CRA will introduce comprehensive cybersecurity standards for most hardware and software products as protection against cyber incidents. It's crucial to understand that products which do not comply with the CRA's

incidents. It's crucial to understand that products which do not comply with the CRA's requirements may not be sold in the EU once the CRA enters into full effect. So, to which products does the CRA apply? The CRA covers all so-called products with digital elements. This basically

includes any type of hard of software made available in the EU. There are some exceptions, for example for certain medical devices or cloud services, but think of text processing or photo editing software, video games, variables, smart home devices; all of these will be in scope.

Products with security functions, like browsers, password managers, firewalls, operating systems, or microprocessors, are even classified as important products and will be subject to stricter standards. There also is a category of critical products which includes devices like smart

standards. There also is a category of critical products which includes devices like smart metering gateways or crypto processors. Companies that are involved in the supply chain of any such products must make sure that they comply with the CRA covering the entire product life cycle. To

this end, it's no surprise that the broadest set of obligations applies to manufacturers.

Manufacturers must first ensure that their products meet certain essential cybersecurity standards specified in the CRA before they are placed on the market. This means that manufacturers must perform and document a risk assessment already during the product development phase to identify potential vulnerabilities from the very beginning. The company would then need to

implement security safeguards that address these risks. A crucial aspect of CRA compliance involves undergoing a product conformity assessment and obtaining a CE certification. The purpose of the conformity assessment is to verify that the CRA's essential cybersecurity standards are met,

and, depending on the product classification, obtaining CE certification may require engaging an authorized third party organization. For example for most important and all critical products, it's necessary to rely on a so-called notified body to carry out an external evaluation.

In addition, companies must create detailed technical documentation as well as customer facing information and instructions for end users, including contact information. Once a product is on the market manufacturers must continuously monitor for any emerging vulnerabilities related

to the products for at least five years, and if a security flaw is discovered after market launch, say through customer feedback or otherwise, there must be procedures in place to timely roll out security updates or patches. Finally, manufacturers are required to notify detected

vulnerabilities to relevant authorities and customers. So, if companies do not comply with the obligations under the CRA, the competent national authorities may impose fines up to 2.5% of the company's worldwide annual turnover. Also, non-compliance could result in restrictions

on market access within the EU, which might be an even more significant consideration from a business perspective. While all of this might sound a bit overwhelming at first, the good

business perspective. While all of this might sound a bit overwhelming at first, the good news is that the key obligations under the CRA are expected to become applicable not earlier than 2027. So which actions should companies take now in preparation for CRA compliance? Here are

than 2027. So which actions should companies take now in preparation for CRA compliance? Here are

five recommended steps. Number one, applicability assessment: check against the product inventory if any of your products are in scope of the CRA. Also determine your role as manufacturer, importer, or distributor under the CRA. Number two, product classification: determine for each product in the inventory whether it falls into the non-critical, important, or even critical

category. Number three, gap analysis: perform an assessment of the applicable CRA obligations

category. Number three, gap analysis: perform an assessment of the applicable CRA obligations to identify any existing compliance gaps for the relevant products. Number four,

action plan: use the gap analysis to identify if the specific action items needed to achieve full CRA compliance. Finally, number five, implementation: create a project plan for the implementation of compliance measures that address the identified action items. Where possible,

you should integrate CRA compliance into your existing product conformity procedures. By taking

these proactive steps now, companies can ensure that they are well positioned ahead of 2027 when compliance with the CRA becomes mandatory. If you want to learn more about the CRA,

see the video's description below or get in touch with us. See you on the next video. [Music]

see the video's description below or get in touch with us. See you on the next video. [Music]