Introduction.

In recent years, cyber attacks have become increasingly serious worldwide, causing significant damage to businesses and consumers.

In particular, attacks via IoT devices and software have a wide range of impacts from daily life to industrial systems.
In response to this situation, the European Union (EU) has enacted a new regulation, the European Cyber Resilience Act (CRA), aimed at strengthening cybersecurity.

This is the first law to unify cybersecurity requirements for products distributed within the EU, just as the GDPR unifies personal data protection.

This article provides an overview of the European Cyber Resilience Act, its scope, and the measures companies should take.

What is the European Cyber Resilience Act?

The European Cyber Resilience Act (CRA) is a new regulation agreed by the European Parliament and Council in September 2023 and formally adopted in 2024.
The aim is to mandate minimum cybersecurity requirements for all hardware products and software placed on the EU market to protect users and at the same time increase confidence in the EU internal market.
Until now, the physical safety of products has been regulated in the EU through CE marking and other means, but there were no uniform rules regarding cybersecurity.

The European Cyber Resilience Act aims to fill this gap and impose common standards on all companies.

From the official EU website

Overview of the European Cyber Resilience Act

The European Cyber Resilience Act primarily establishes the following requirements

  1. Implement Security by Design
    Products must have cybersecurity built in from the design phase and be safe to use after shipment.

  2. Continued Vulnerability Management
    Throughout the product lifecycle, there is an obligation to find and fix vulnerabilities and provide necessary updates.

  3. Incident Reporting Obligation
    Any cyber-attack or critical vulnerability discovered must be reported to the European Cyber Security Agency (ENISA) within 24 hours.

  4. Penalties
    Violations can result in fines as severe as GDPR, up to 4% of global turnover or €15 million.

After the effective date in 2024, companies will be given a transition period of approximately 24 months, with actual application scheduled to begin around 2026.

Covered by the European Cyber Resilience Act

The European Cyber Resilience Act covers a wide range of products.

  • IoT devices: smart home appliances, wearable devices, smartphone peripherals, etc.

  • Software: PC software, mobile applications, business systems

  • Industrial equipment: sensors, network equipment, factory control systems

  • Security-related equipment: firewalls, encryption devices, etc.

Products are classified according to risk level.

  • Standard products (low risk): Can be sold if the manufacturer itself prepares a Declaration of Conformity (DoC). No prior application is required.

  • Critical product (high risk): requires audit by a third-party certification body (Notified Body).

This classification allows companies to select a compliant process based on the risk level of their products.

European Cyber Resilience Act Measures

All manufacturers, including Japanese companies, are required to take the following measures to bring their products to the EU market

Confirmation of Covered Products
Scrutinize whether your product is included in the CRA; if it has IoT or software functionality, it is almost always covered.

Establish a vulnerability management system
Prepare a system that can provide security updates and patches on an ongoing basis.

Prepare technical documentation and Declaration of Conformity (DoC)
Maintain technical documentation and prepare a DoC to demonstrate that the product complies with the CRA.

Third-party certification as required
For high-risk products, request an audit and certification from Notified Body.

Strengthen internal education and compliance
Inform development and legal departments of the contents of the European Cyber Resilience Act and establish a company-wide system to respond to the law.

CE Marking and the Need for a Local Responsible Person

The European Cyber Resilience Act operates as part of the CE marking system. Therefore, manufacturers outside the EU (e.g. Japanese companies) are required to appoint a local responsible person (EU Responsible Person / Authorized Representative) when placing their products on the European market.

The main roles of the local manager are as follows

  • Retention of technical documents and declaration of conformity: obligation to present them upon request of the authorities.

  • Liaison with market surveillance authorities: primary response in case of complaints or incidents.

  • Check the contents of the labeling: Check whether the CE mark, the name of the manufacturer, and the name and address of the person responsible for the EU are correctly indicated.

  • Security-related reporting: Prompt reporting of vulnerabilities and incidents to ENISA and other authorities.

Therefore, in order to comply with the CRA, Japanese companies will be required to have a three-pronged approach : product security design + CE marking + EU responsible person.

Impact on Japanese Companies

For Japanese companies, the European Cyber Resilience Act will have a significant impact. For example, consumer electronics manufacturers exporting smart appliances to Europe will need to comply with cybersecurity requirements, not just electrical safety standards. Furthermore, this also applies to IT companies that provide IoT products and business software for the medical device and healthcare sectors.
This means that Japanese companies must be aware of European regulations and incorporate cybersecurity from the product design stage. Delays in compliance will make it difficult to enter the EU market and increase the risk of falling behind the competition.

summary

The European Cyber Resilience Act is a new rule that is mandatory for the sale of software and hardware products in the EU market.

By the start of the application in 2026, companies will need to plan everything from confirming product eligibility, developing a vulnerability management system, preparing technical documentation, obtaining third-party certification if necessary, and establishing local responsibility.
Because along with GDPR and CE marking, this regulation will be essential for future business development in the EU, Early preparation will be the key to securing a competitive advantage.

Related European Information

How to choose a reliable "European Responsible Person" and what to look out for

For companies looking to enter the European market, product compliance is an unavoidable issue.
CHECK DETAIL

Official] What is GDPR? Cross-border EC Strategies that Japanese Companies Should Address

GDPR is a complex issue, and many companies do not have a clear understanding of the correct information.
CHECK DETAIL

What is the European Digital Markets Act (DMA)? Impact on Japanese Companies

In today's digital society, our daily use of Google, Apple, Amazon, Meta
CHECK DETAIL
Click here to request expert support for European Cyber Resilience Act (CRA) compliance.
Free Consultation