EU Cybersecurity Regulations

Meet the essential cybersecurity requirements for products with digital elements in the EU.

Our Capabilities

Expert EU cybersecurity knowledge

Our team possesses in-depth knowledge of the EU Cyber Resilience Act and European cybersecurity standards, providing precise compliance guidance.

Tailored product solutions

We develop customised strategies for your specific digital products, addressing their unique technical characteristics and risk profiles under the CRA.

Streamlined compliance process

We offer an efficient process covering assessment, testing, and documentation, simplifying your path to CRA conformity and market access.

Dedicated Support, building trust

Benefit from dedicated expert support throughout. Our partnership helps ensure product security and builds confidence.

Understanding EU cybersecurity requirements

Businesses face challenges navigating the broad scope and detailed technical requirements of the EU Cyber Resilience Act for their digital products.

We offer expert guidance, conformity assessment support, and testing services to help businesses understand and meet CRA obligations, ensuring their products can be legally and securely placed on the EU market.

Simplify EU cybersecurity compliance

Achieve CRA compliance efficiently and confidently to access the European market.

Navigating the complexities of the EU Cyber Resilience Act is essential for placing digital products on the European market. Our comprehensive services provide the expertise and support needed to meet all mandatory requirements, ensuring your products are compliant and ready for distribution across the EU.

Expert guidance on CRA requirements.
Streamlined conformity assessment support.
Comprehensive cybersecurity testing.
Assistance with required documentation.
Support for vulnerability management processes.

Services for EU CRA Compliance

Our services are designed to support manufacturers, importers, and distributors in achieving compliance with the EU Cyber Resilience Act.

Our core services include:

Conformity Assessment Support: Guiding you through the appropriate conformity assessment procedure based on your product's risk category, including support for self-assessment or preparation for third-party evaluation.
Cybersecurity Testing: Conducting relevant cybersecurity testing against essential requirements and standards like ETSI EN 303 645 to identify vulnerabilities and verify compliance.
Documentation Assistance: Helping prepare the required technical documentation, risk assessments, and the EU Declaration of Conformity.
Regulatory Guidance: Providing expert advice on interpreting CRA requirements and understanding your obligations throughout the product lifecycle.
Vulnerability Management Consulting: Assisting in establishing effective processes for identifying, documenting, and remediating product vulnerabilities.

These services help ensure your products meet the stringent cybersecurity standards required for the EU market.

EU Cybersecurity Regulations

The EU Cyber Resilience Act (CRA), which entered into force on December 10, 2024, establishes a comprehensive framework for cybersecurity requirements for products with digital elements placed on the EU market. Its primary objective is to improve the cybersecurity of hardware and software products throughout their lifecycle, ensuring a higher level of security for consumers and businesses across the European Union.

The CRA introduces mandatory cybersecurity requirements for manufacturers, importers, and distributors, aiming to address the growing threat landscape and the current low level of cybersecurity in many digital products.

Key Requirements

The CRA outlines essential cybersecurity requirements that products with digital elements must meet. These include:

Security by Design and Default: Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on identified risks. They should be placed on the market with a secure configuration by default.
Protection Against Unauthorised Access: Products must protect against unauthorised access through appropriate control mechanisms, such as authentication and identity management systems.
Data Confidentiality and Integrity: Products must protect the confidentiality and integrity of stored, transmitted, or otherwise processed data, including personal data, using mechanisms like encryption.
Availability of Functions: Products must protect the availability of their essential functions, including resilience against and mitigation of denial-of-service attacks.
Minimising Attack Surface: Products should be designed and developed to limit attack surfaces and reduce the impact of security incidents.
Vulnerability Handling: Manufacturers must identify and document vulnerabilities, address them promptly through security updates, and have a policy for coordinated vulnerability disclosure.
Information and Instructions: Products must come with clear and understandable instructions on their secure installation, configuration, and use, including information on security updates and how to securely remove data.

Obligations for Economic Operators

The CRA imposes specific obligations on actors in the supply chain:

Manufacturers: Must ensure products meet essential cybersecurity requirements, conduct risk assessments, implement vulnerability handling processes, provide security updates for the product's support period, draw up technical documentation and an EU Declaration of Conformity, and affix the CE marking. They also have reporting obligations for actively exploited vulnerabilities and severe incidents.
Importers: Must verify that products comply with the CRA, including checking for the CE marking, the EU Declaration of Conformity, and the manufacturer's contact details and instructions. They must not place non-compliant products on the market and must inform authorities if a product poses a significant risk.
Distributors: Must act with due care to ensure products comply with the CRA, verifying the presence of the CE marking and required documentation. They must not make non-compliant products available and must inform manufacturers and market surveillance authorities of identified risks.

Scope

The CRA applies to a broad range of products with digital elements whose intended or foreseeable use includes a direct or indirect connection to a device or network. This covers most hardware and software products, including IoT devices, software applications, and components. Certain products already covered by existing EU legislation (e.g., medical devices, vehicles, aviation) and specific types of open-source software are generally excluded. Products are categorised based on risk level, which determines the required conformity assessment procedure (self-assessment or third-party evaluation).

Enforcement and Penalties

The CRA grants market surveillance authorities in EU Member States powers to enforce the regulations, including requesting documentation, conducting checks, and imposing corrective measures. Non-compliance can lead to significant penalties, with maximum fines reaching €15 million or 2.5% of the company's total worldwide annual turnover, whichever is higher.

Eurofins Electrical & Electronics can help manufacturers, importers, and distributors navigate the complexities of the CRA. We offer expert testing, assessment, and advisory services to ensure products meet mandatory security requirements, such as banning default passwords, implementing vulnerability disclosure policies, and providing security update transparency.

This support helps businesses achieve compliance efficiently, access the EU market, and mitigate potential penalties.

Ready to explore our EU cybersecurity services?

Connect with our experts today. We offer comprehensive EU cybersecurity testing and certification services, simplifying compliance and accelerating your market entry.

Related services

UK PSTI

Learn More

Radio/Wireless Testing

Learn More

CTIA IoT Certification

Learn More

Cybersecurity

Learn More

EMC Testing

Learn More

Who we are

About Eurofins

What we stand for

Entrepreneurship model

Our story

Our leadership

Leadership philosophy

Group Operating Council

Board of Directors

Corporate sustainability

Our approach

Environmental

Social

Governance

Eurofins Foundation

About

Supported projects

Submit a project

Global locations

Food & Feed Testing

Agro Testing

Sensory, Market Research & Product Design

Environment Testing

BioPharma Services

BioPharma Product Testing

Medical Device Services

Contract Development & Manufacturing Organization (CDMO)

Professional Scientific Services

Clinical Trial Conduct & BioAnalysis

BioPharma Discovery Services & Products

BioPharma Central Laboratory

Agroscience Services

Genomic Services

Forensic Services

Clinical Diagnostic Services

In Vitro Diagnostics Solutions

Consumer Product Testing

Construction & Building

Cosmetics & Personal Care

Detergents, Hygiene, Paper & Pulp

Electrical & Electronics

Home & Garden

Packaging

Softlines & Hardlines

Assurance & Inspection Services

Materials & Engineering Sciences

Testing for Life

Scientific innovation

Investors

Shareholder information

Shares in issue

All reports and presentations

Eurofins' response to Muddy Waters, June-July 2024

Calendar

Debt & hybrid capital

Shareholder meetings

Executive dealings

Share buy-back programmes

Europe, Middle East & Africa

Austria

Belgium

Czech Republic

Danmark

Hungary

Italy

Portugal

Switzerland

Spain

United Kingdom

Americas

Canada

United States

Asia Pacific

Australia

India

Vietnam

Canada

United States

Europe, Middle East & Africa

Americas