EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Brief Recap of the CRA

The European Commission first proposed the CRA on 15 September 2022. The aim of the CRA is to set cyber standards for manufacturers, distributors and importers of PDE, as well as related remote data processing solutions commercialized in the EU. The CRA imposes product safety-type requirements that will apply throughout the commercial lifecycle of a connected device and seeks to ensure that PDEs comply with a number of essential cybersecurity requirements and are subject to incident and vulnerability notification requirements.  The CRA is not specific in terms of the technical cybersecurity requirements which PDEs have to comply with – this will be specified further in secondary EU legislation adopted by the EU Commission (so-called “delegated and implementing acts”). For more information on the CRA, and its key requirements, please see our previous blog posts here and here.

The CRA was adopted by the EU Parliament just one day before the EU adopted the EU AI Act – see our blog post here – and will come into force alongside a number of other digital data and cyber laws that the EU has been adopting recently, including the EU Digital Markets Act, the EU Digital Services Act, and an updated version of the EU Network and Information Systems Security Directive (NISD2).


The CRA imposes fines of up to €15 million or 2.5% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for non-compliance with any essential cybersecurity requirements. Breaches of other obligations could result in fines of up to €10 million or 2% of global turnover in the last financial year.

Further, EU Member States will each designate one or more market surveillance authorities to ensure supervision and enforcement of the CRA. The CRA has also established a dedicated cooperation group to ensure uniform application of the CRA across the EU. Finally, there are requirements for manufacturers to report e.g., actively exploited vulnerabilities and severe incidents to their Computer Security Incident Response Team (“CSIRT”) and the EU Agency for Cybersecurity (“ENISA”) so that cross-border efforts to mitigate such incidents can be implemented quickly.

Next steps

The Parliament-adopted text will now be formally adopted by the Council after which it will become law. The CRA Act is then likely to enter into force at the end of April or early May. Following entry into force, the majority of the CRA’s provisions will apply 3 years after the publication (although key vulnerability reporting obligations will apply 21 months after this date).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.