With the rapid evolution of digital technologies, Europe is facing a constant increase in cyber threats. Cybercrime, whether data breaches, cyberattacks or hacking, represents a serious risk to the security of individuals, businesses and public institutions. In response to these challenges, the European Union (EU) has introduced a number of regulations, among which the Cyber Resilience Act (CRA) stands out as a major initiative aimed at strengthening the continent's cyber resilience.
The Cyber Resilience Act is a legislative proposal from the European Commission, unveiled in September 2022, which aims to ensure that digital products marketed in the EU are designed to be secure from the moment they are manufactured. It is part of a series of measures taken by the EU to improve digital security and protect critical infrastructures.
The Cyber Resilience Act (CRA) applies to a product's entire supply chain, encompassing :
Improving the security of digital products: All products with digital elements sold in the EU will have to meet minimum security standards.
Reducing vulnerabilities: The CRA requires manufacturers to maintain and update their products to correct security flaws throughout their lifetime.
Greater transparency: Companies will have to provide clear information on the safety measures of their products, enabling consumers to make informed choices.
Making manufacturers accountable: Manufacturers will be held responsible for safety failures in their products, encouraging safe design from the outset.
The rise of the Internet of Things (IoT) and the increasing integration of digital technology into all aspects of modern life have multiplied the potential vectors for cyberattacks. According to estimates, the global cost of cybercrime could reach $10.5 trillion a year by 2025. In Europe, companies report a significant increase in cyber attacks, from 75% in 2020 to 95% in 2021.
Les régulations actuelles comme le RGPD et la Directive NIS 2 sont importantes, mais le CRA comble des lacunes en sécurité numérique.
The CRA covers a wide range of digital products, including IoT devices, software and connected services, requiring security compliance.
The CRA requires manufacturers to manage safety throughout the product lifecycle. This includes not only initial design and production, but also maintenance and post-market updates. Manufacturers must ensure the availability of security updates for a defined period after the product has been put on the market.
Companies will be required to notify the relevant authorities of any critical vulnerabilities discovered in their products. This measure is designed to enable rapid reaction to emerging threats and prevent potential exploitation of these flaws.
The CRA provides for penalties for non-compliance, with fines of up to €15 million or 2.5% of the company's worldwide annual sales, whichever is greater. These penalties are designed to be sufficiently dissuasive to encourage genuine implementation of robust security measures.
For companies:
For Consumers
Sanctions
The Cyber Resilience Act (CRA) will also introduce penalties for identified non-compliance. Maximum potential fines for non-compliance will range from €5 million to €15 million, or from 1% to 2.5% of worldwide annual sales, whichever is greater. The ARC categorizes violations as follows:
With the CRA, Europe is positioning itself as a world leader in securing the digital space. By imposing strict security standards for digital products and businesses, this means a greater need for investment in security. For consumers, it means the promise of safer products and greater transparency. In the event of non-compliance, heavy penalties will be applied.
References :
https://www.consilium.europa.eu/fr/infographics/cyber-threats-eu
2025 FeelAgile
