{"id":190649,"date":"2026-02-25T17:06:00","date_gmt":"2026-02-25T22:06:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/25\/a-quick-primer-to-help-your-business-comply-with-the-eus-cyber-resilience-act-fisher-phillips\/"},"modified":"2026-02-25T17:45:10","modified_gmt":"2026-02-25T22:45:10","slug":"a-quick-primer-to-help-your-business-comply-with-the-eus-cyber-resilience-act-fisher-phillips","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/25\/a-quick-primer-to-help-your-business-comply-with-the-eus-cyber-resilience-act-fisher-phillips\/","title":{"rendered":"A Quick Primer to Help Your Business Comply With the EU\u2019s Cyber Resilience Act | Fisher Phillips"},"content":{"rendered":"<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/a-quick-primer-to-help-your-business-4237866\/\">A Quick Primer to Help Your Business Comply With the EU\u2019s Cyber Resilience Act | Fisher Phillips<\/a><\/p>\n<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/a-quick-primer-to-help-your-business-4237866\/\">https:\/\/www.jdsupra.com\/legalnews\/a-quick-primer-to-help-your-business-4237866\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-25 17:06:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.jdsupra.com\">www.jdsupra.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>The European Union\u2019s Cyber Resilience Act (CRA) has mandated uniform cybersecurity requirements for hardware and software with digital elements that are placed on the EU market since 2024. The law has three main requirements: that businesses ensure their products are secure by design, that they report actively exploited vulnerabilities, and that they provide security updates for products for their expected lifetime. While the European Commission has compiled a set of technical Frequently Asked Questions to help entities comply with the law, it is voluminous and wide-ranging in scope \u2013 so this Insight summarizes the most salient topics and provides pointers for compliance.<\/p>\n<p>1. What constitutes a \u201cproduct with digital elements\u201d (PDE) per the CRA, and which PDEs are in scope of the law?<\/p>\n<p>CRA defines a \u201cproduct with digital elements\u201d as \u201ca software or hardware product and its remote data processing solutions, including software and hardware components being placed on the market separately.\u201d While CRA provides technical definitions for these terms, what is most important is that there is a wide range of products that are deemed to have \u201cdigital elements,\u201d including standalone software, software paired with hardware, and hardware foundational components, consumer devices, and complex devices.<\/p>\n<p>If a product is deemed to have digital elements, it is generally within the scope of CRA if:<\/p>\n<p>\tit is made available on the market, and<br \/>\n\tits intended purpose or reasonably foreseeable use include a direct or indirect logistical or physical data connection to a device or network.<\/p>\n<p>In other words, most software and hardware for sale within the EU that will connect to a digital network is under the purview of CRA. Critically, the CRA only applies to PDEs placed on the market before December 11, 2027, if, from that date, they are subject to substantial modification. An exception to this rule is the notification requirement for actively exploited vulnerabilities, which applies to products placed on the market prior to December 11, 2027.<\/p>\n<p>Knowing this, how can your business best understand the universe of your products that must comply with CRA?<\/p>\n<p>\tFirst, conduct a comprehensive audit of your full suite of PDE offerings. Determine which are sold within the EU and are likely to become part of a digital network.<br \/>\n\tSecond, assess whether PDEs will be subject to substantial modification after December 11, 2027. As an example, a software update that alters the original intended functions of the device would constitute as \u201csubstantial modification.\u201d Comparatively, an update that merely remedies a coding bug would not.<br \/>\n\tThird, examine your product pipelines to determine which products will be controlled by CRA. Designed these products in a CRA-compliant manner from the outset.<\/p>\n<p>Some products, including those designed for national security or defense and maritime equipment, fall outside the scope of CRA. You should consult with legal counsel to get a better understanding of exemptions to CRA rules.<\/p>\n<p>2. What is the interplay between CRA and other related pieces of legislation?<\/p>\n<p>CRA operates alongside other cybersecurity regulations. Notably, Regulation (EU) 2023\/1230, known as the Machinery Regulation (MR), \u201caddresses cybersecurity risks that may have an impact on safety,\u201d although it focuses on machinery-related items, not PDEs.<\/p>\n<p>Importantly, the European Commission recognizes that product classifications may not be mutually exclusive. For example, a piece of packaging machinery (covered by MR) that contains networked software and\/or hardware may also be PDE covered by CRA. In this case, neither piece of legislation predominates. Instead, businesses must ensure that they follow both MR and CRA, especially since complying with one law may reinforce compliance with the other.<\/p>\n<p>For those businesses whose products may be governed concurrently by CRA and other EU regulations (e.g., MR, General Data Protection Regulation, General Product Safety Regulation, etc.), the following guidance is applicable:<\/p>\n<p>\tInitiate a review of all products that you have placed into the EU market. You should classify each product, understanding that some may have multiple designations.<br \/>\n\tConsult with legal counsel to see what EU laws apply to which products and to help reconcile seemingly conflicting regulations.<br \/>\n\tReference applicable conformity assessment procedures set forth by the EC, which are designed to help facilitate compliance across multiple regulatory regimes.<\/p>\n<p>3. What does CRA require in terms of the manufacturer\u2019s cybersecurity risk assessment?<\/p>\n<p>Before introducing a PDE to market, CRA \u201crequires manufacturers to undertake an assessment of the cybersecurity risks associated with a product with digital elements.\u201d The goal of this assessment is to minimize cybersecurity risks, prevent incidents, and minimize their impact, including in relation to the health and safety of users.<\/p>\n<p>The cybersecurity risk assessment must indicate certain information, including:<\/p>\n<p>\tWhether (and, if so, how) the security requirements of CRA are applicable to the PDE;<br \/>\n\tThe way those requirements are being implemented by the business;<br \/>\n\tHow the manufacturer has planned, designed, developed, produced, delivered and maintained the PDE to ensure an appropriate level of cybersecurity; and<br \/>\n\tThe vulnerability handling requirements.<\/p>\n<p>CRA does not mandate a specific cybersecurity risk assessment methodology, so a manufacturer can decide how to identify and treat the relevant risks. However, this process must be comprehensive, as all relevant risks must be addressed, and this process needs to be documented so that regulators can verify compliance.<\/p>\n<p>The most effective way to comply with this provision of CRA is for the manufacturer to consult with legal and technical experts who can validate that the cybersecurity risk assessment meets regulatory standards, and that the process undertaken by the business has been thorough and covered all necessary requirements.<\/p>\n<p>4. What reporting requirements must a manufacturer meet upon discovery of an actively exploited vulnerability or a severe incident?<\/p>\n<p>A key provision of CRA is the reporting of actively exploited vulnerabilities (defined as \u201ca vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner\u201d) and severe incidents to regulators.<\/p>\n<p>CRA does not provide an exhaustive list as to how a manufacturer may become aware of an actively exploited vulnerability, but some examples include the following:<\/p>\n<p>\tA customer or partner relaying unusual activity or compromise;<br \/>\n\tA threat intelligence report, government agency, and\/or ethical hacker that advises that the manufacturer\u2019s product has been used in targeted attacks; or<br \/>\n\tInternal monitoring, scanning activities, and\/or telemetry.<\/p>\n<p>Where CRA is prescriptive is that once an actively exploited vulnerability is discovered, it must be reported. Best practices to meet reporting requirements include:<\/p>\n<p>\tDraft templated forms that can be filled with applicable information before a vulnerability is discovered. These forms should include all information required by CRA and be vetted by attorneys.<br \/>\n\tInstitute an approval process for forms to be expeditiously routed, reviewed, and signed off for filing. Identifying who will draft the form, what personnel need to review it, and the individual ultimately responsible streamlines the process.<br \/>\n\tConsult with counsel to keep abreast of any changes to the disclosures and\/or filing procedures. Agencies sometimes evolve what information they need or how a form should be submitted, and your attorneys should help you be aware of any such developments.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Quick Primer to Help Your Business Comply With the EU\u2019s Cyber Resilience Act |&#8230;<\/p>\n","protected":false},"author":1,"featured_media":190650,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.7295_415.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,27],"class_list":["post-190649","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/190649"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=190649"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/190649\/revisions"}],"predecessor-version":[{"id":190651,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/190649\/revisions\/190651"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/190650"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=190649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=190649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=190649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}