One of the most pivotal regulatory developments at the end of 2024 was the official publication of the EU Cyber Resilience Act (CRA). The regulation is designed to reduce risks faced by consumers and businesses from cyber threats, setting uniform standards for hardware and software products with digital elements (PDEs).  

As well as cyber and IT teams, Data Protection Officers (DPOs) will play a critical role in ensuring compliance with the relatively novel legislation as it comes into force. In this piece, we summarise the key elements of the CRA and how your DPO can help you navigate its requirements in the coming months. 

The CRA in a nutshell 

Forming part of the wider EU Cybersecurity Strategy for the Digital Decade, the CRA applies to all PDEs with direct or indirect connections to devices or networks, spanning manufacturers, importers, distributors, and other economic operators. It mandates stringent cybersecurity requirements throughout a product’s lifecycle, including: 

  • Designing secure products to limit vulnerabilities. 
  • Conducting risk assessments and updating documentation. 
  • Ensuring secure integration of third-party components. 
  • Establishing vulnerability handling processes and reporting exploited vulnerabilities within 24 hours. 
  • Conducting conformity assessments for high-risk products like web browsers and operating systems. 

Certain products, such as medical devices and aviation systems, fall outside the CRA’s scope if they are already regulated under specific EU frameworks. Additionally, the CRA provides exclusions for PDEs governed by other regulations, including the NIS2 Directive and the AI Act. For example, high-risk AI systems compliant with CRA cybersecurity requirements will also satisfy the AI Act’s equivalent requirements. However, overlapping regulations, such as the GDPR and DORA (Regulation 2022/2554), may create compliance complexities for certain organisations. These nuanced technicalities make it essential that DPOs help businesses make accurate decisions regarding the CRA’s applicability and any competing or overlapping data protection obligations. 

Enforcement and Penalties 

The CRA grants comprehensive oversight powers to public authorities, including the European Commission, ENISA, and national regulators. These entities are authorised to monitor compliance, conduct investigations, and enforce corrective measures. In cross-border matters, the CRA provides mechanisms for cooperation between authorities to address disagreements in its interpretation or application. Non-compliance with the CRA’s requirements can result in significant penalties, including: 

  • Fines of up to €15 million or 2.5% of global turnover for severe breaches. 
  • Fines of up to €5 million or 1% of annual turnover for providing incorrect, incomplete, or misleading information. 

Corrective or restrictive measures, such as product recalls or withdrawals from the EU market, may also be imposed. Authorities are further empowered to conduct coordinated “sweeps”, which involve simultaneous, unannounced investigations across jurisdictions to monitor compliance and address cross-border issues. These sweeps will emphasize the importance of maintaining readiness and robust practices to withstand regulatory scrutiny. 

How DPOs can help 

Emerging regulations, especially ones that overlap with existing laws and frameworks often require an acclimatisation period time to ensure businesses understand their implications for their organisations. Here are some of the ways your DPO can support with complying with the CRA: 

  • Risk Assessment Oversight: Collaborate with technical teams to ensure that cybersecurity risk assessments (and DPIAs to the extent these are deemed necessary) are conducted and documented for all PDEs. 
  • Incident Reporting Management: Develop processes and procedures to assess incidents and report actively exploited vulnerabilities to the relevant authorities within 24 hours, as required by the CRA. 
  • Communicating with the regulators: The DPO can advise on incidents that must be reported, manage and liaise with regulators in a timely manner. 
  • Compliance Monitoring: Regularly audit cybersecurity measures in addition to any technical and organisational measures for personal data to ensure adherence to the CRA’s mandatory requirements, including secure product design, vulnerability handling and data minimisation. 
  • Documentation and Reporting: Develop and maintain detailed records of cybersecurity practices, risk assessments, and incident responses to demonstrate good accountability and governance practices as key compliance obligations. 

Key deadlines to note 

The CRA is being phased in to give businesses time to put the right measures in place. The following are key dates to note: 

  • 11 June 2026 onwards: notification of conformity bodies (Chapter IV) applies 
  • 11 September 2026 onwards: reporting obligations apply 
  • 11 December 2027 onwards: remaining obligations come into force 

Preparing for the CRA 

Going into 2025, manufacturers should evaluate their existing cybersecurity measures, address compliance gaps, and prepare for rigorous documentation and reporting requirements. HewardMills and its team of DPP and cyber experts can help your business establish robust oversight frameworks to ensure smooth adherence to the CRA’s requirements.  

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.