Skip to main content
Contact us

      The Cyber Resilience Act (CRA) is a European Union regulation aiming to strengthen the cybersecurity of digital products and software. The main purpose of CRA is to ensure that products with digital components are secure throughout their lifecycle, from design and development to post-market support.

       

      Timeline for the Cyber Resilience Act Implementation

      CRA timeline

      Who is affected by the Cyber Resilience Act?

      Cyber Resilience Act applies to all products with digital elements such as hardware, IoT, smart devices, and software including operating systems and applications, connected directly or indirectly to other devices or networks.

      The regulation applies to manufacturers, importers, and distributors of digital products on the EU market, regardless of their origin.

      Non-compliance can result in significant fines (up to €15 million or 2.5% of the global annual turnover).

      Objectives of the regulation

      • Harmonised standard for cyber security across the EU
      • Increased overall cyber security of digital products on the internal market
      • Improved consumer trust in digital products and services

       

      What requirements does the Cyber Resilience Act impose?

      Security by design and default

      Manufacturers must ensure that security is a fundamental aspect throughout a product’s lifecycle.

      Vulnerability handling

      Companies must put in place processes to fix vulnerabilities and share information with users and authorities.

      Ongoing support

      Security updates and vulnerability patching must be provided for a defined period after the product hits the market.

      Mandatory reporting

      Manufacturers must report actively exploited vulnerabilities and incidents to EU authorities (ENISA).

      How can we help

      • Cyber Resilience Act assessment

        Independent assessments against the cyber resilience and risk management requirements of CRA

      • Gap analysis and implementation consulting

        Ensure CRA compliance of products and services with support from KPMG experts

      • Technical testing

        Pentesting, hardware and firmware analysis

      • Threat modelling

        Structural analysis of the system’s features and processes that can influence security, including identification of potential threats, mitigative actions, and model validation​.

      • Legal analysis

        Assessment of requirements applicability and alignment review for products and services.

      Connect with us

      Karri Tomula

      Cyber Advisory

      KPMG in Finland

      Mika Iivari
      Mika Iivari

      Partner, Cyber Advisory

      KPMG in Finland

      Cyber Security

      Our cyber experts can help you to protect your future.

      Read more
      blue swirl