Legal Requirements - seedon198/Cyber-Resilience-Act GitHub Wiki

Legal Requirements

CRA Legal Framework

Regulation Overview

The EU Cyber Resilience Act (Regulation EU 2024/2847) establishes binding legal requirements for cybersecurity of digital products placed on the EU market.

Essential Requirements

Article 10: Essential Cybersecurity Requirements

  1. Secure by Design and by Default

    • Security measures implemented from the design phase
    • Products delivered with secure default settings
    • Risk-based approach to security measures

  2. Vulnerability Management

    • Coordinated vulnerability disclosure processes
    • Security update mechanisms for product lifecycle
    • Incident response capabilities

  3. Data Protection and Privacy

    • Protection of personal data processed by the product
    • Data minimization principles
    • Transparency about data processing

Legal Obligations by Role

Manufacturers (Article 11)

  • Ensure compliance with essential requirements
  • Conduct conformity assessments
  • Draw up technical documentation
  • Report cybersecurity incidents
  • Provide security updates

Importers (Article 15)

  • Verify manufacturer compliance
  • Ensure CE marking and documentation
  • Report non-compliance to authorities
  • Cooperate with market surveillance

Distributors (Article 16)

  • Verify CE marking before distribution
  • Report suspicious products
  • Cooperate with enforcement authorities
  • Maintain traceability records

Penalties and Enforcement

Administrative Fines

  • Up to €15,000,000 or 2.5% of annual worldwide turnover
  • Proportionate to violation severity
  • Consider cooperation and remedial measures

Market Surveillance Powers

  • Product testing and inspection
  • Request information and documentation
  • Order product withdrawal or recall
  • Impose temporary restrictions

Legal Compliance Checklist

  • Essential requirements implemented and documented
  • Conformity assessment completed (self or third-party)
  • CE marking affixed and Declaration of Conformity signed
  • Technical documentation maintained
  • Incident reporting procedures established
  • Security update mechanisms operational

For technical implementation guidance, see Technical Implementation. For assessment procedures, visit Conformity Assessment.