First of its Kind: Cyber Resilience Act

05.12.2024

Definition and Scope of the EU Cyber Resilience Act
What will be the Enforcement Sanctions?

The Cyber Resilience Act (CRA), which aims to harmonize the cybersecurity requirements of digital products between the member states of the European Union and ensure that these products comply with cybersecurity standards, was published in the EU Official Journal on 20 November 2024.

In a world where cyber-attacks are on the rise, with reports predicting that an attack will occur every 2 seconds by 2031 and that this may cause an annual cost of more than € 251 billion^{^[1]} , this law will make a big name for itself.

Surely, cyber security-oriented regulations in the EU, such as the Cyber Security Law, Directive Network and Information Security Directive (NIS2) should not be disregarded.

Although the law will generally come into effect on 11 December 2027, certain provisions will apply earlier.

Definition and Scope of the EU Cyber Resilience Act

The first EU-wide CRA aims to establish a single set of rules for the whole EU, covering all software and hardware products, including data processing systems and components for sale separately.

The CRA aims to ensure that products with digital components are safe throughout their lifecycle, covering manufacturers, software developers, importers, distributors and resellers. It would be appropriate to say that the CRA focuses primarily on companies that develop and market non-embedded software.

All products that are directly or indirectly connected to the network, such as Internet of Things (IoT) devices, operating systems and high-risk artificial intelligence systems, are covered by the law. However, there are of course some exceptions to the scope:

▪️ Devices already covered by other EU rules (NIS2 Directive, AI Act, etc.)

▪️ Software as a service (SaaS) that is not a core component of the product. Some products are excluded, such as free open-source software, which is used for research and innovation and is not for profit.

However, it should be emphasized that open-source software from which developers derive some form of commercial activity is included.

The CRA divides products into two main categories according to their level of importance as important and critical:

▪️ Important products: Products are considered “important” if they provide critical functions for cybersecurity or can adversely affect user and product security through manipulation. Examples include products that contain digital elements and provide critical functions for cyber security such as identity management, VPN, operating systems.

▪️ Critical products: Critical products are defined according to the risk that vulnerabilities could cause serious disruptions in the supply chain. Examples include hardware devices with security boxes, smart meter gateways and smart cards.

We have compiled the prominent regulations in the CRA for you below:

Basic Requirements: CRA sets out the basic requirements to ensure the cyber security of digital products. Products must be designed, developed and manufactured to address risks. These basic requirements include eliminating security vulnerabilities, offering default security configurations, providing timely security updates, and protecting data confidentiality, integrity, and availability.

Key Requirements Imposed on Manufacturers: Manufacturers must provide a control mechanism against unauthorized access, limit data collection to only what is necessary, and ensure resilience against potential attacks. In addition, manufacturers are required to test product security on a regular basis and immediately identify and fix security vulnerabilities.

▪️ Product lifecycle security: Manufacturers should ensure cybersecurity at all stages of the product (design, production, updates), remediate vulnerabilities and offer default security settings.

▪️ Product conformity assessments: All products must undergo security checks before they can be sold on the EU market, and products that pass the checks must be CE marked, which is required before they can be sold in the EU.

▪️ Vulnerability reporting: Manufacturers are required to provide a method for reporting vulnerabilities or receiving such reports. Manufacturers must report actively exploited vulnerabilities within 24 hours and provide a more detailed report after 72 hours.

▪️ Third-party component integration: If manufacturers use components or software produced by others, including open-source components, they must secure them, document vulnerabilities, and report the person or organisation that produced or maintains the vulnerable component.

What will be the Enforcement Sanctions?

In case of non-fulfilment of the CRA rules, the highest of the following amounts will be imposed as a fine:

Cyber security breaches: up to €15,000,000 or 2.5 per cent of annual sales
Other infringements: Up to €10,000,000 or 2% of annual sales
Providing incorrect information: Up to €5,000,000 or 1% of annual sales

Table on the Application Date of the CRA:

The full text of the CRA is available here (only available in EU languages).

[1] https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.

Yeşil, Sosyal ve Sürdürülebilir Sermaye Piyasası Araçlarına İlişkin Mevzuat Gelişmeleri

Regulatory Developments on Green, Social and Sustainable Capital Market Instruments

Possibility for Participants Operating in the Istanbul Financial Center to Keep Their Books in Foreign Currency

Türk Parası Kıymetini Koruma Hakkında 32 Sayılı Karar Kapsamında Dövizle Sözleşme Yapma Yasağının Eser Sözleşmelerindeki Uygulaması

The Application of the Prohibition on Contracting in Foreign Currency in Work Contracts Under Decree No. 32 on the Protection of the Value of Turkish Currency

The Regulation Amendıng the Regulation on Workplace Opening and Operation Licenses Has Been Published

New Guidelines on Competition Infringements In Labour Markets

Two-minute Recap of Turkish Competition Law Developments - November 2024

Rekabet Kurulu’nun İş Gücü Piyasalarındaki Rekabet İhlallerine Yönelik Kılavuzu Hakkında Bilgi Notu

Construction Arbitration: Türkiye - Part 4

Construction Arbitration: Türkiye - Part 3

Construction Arbitration: Türkiye - Part 2

Sosyal Ticaretin Gelişimi ve Kişisel Verilerin Korunması Üzerine Hukuki Bir Değerlendirme

Kişisel Verileri Koruma Hukuku Güncel Gelişmeler - Kasım 2024

Reklam Kurulu Kararlarının Kişisel Verilerin Korunması Hukuku Bakımından İncelenmesi

9. Yargı Paketi Kapsamında Bazı Usul Kanunlarında Yapılan Değişiklikler

9. Yargı Paketi Olarak Adlandırılan 7531 Sayılı “Bazı Kanunlarda Değişiklik Yapılmasına Dair Kanun” 14 Kasım 2024 Tarihli ve 32722 Sayılı Resmi Gazete’de Yayımlandı!

Law No. 7531 on the Amendment of Certain Laws, referred to as the 9th Judicial Package was published in the Official Gazette dated 14 November 2024 and numbered 32722!

E-ticaret Şirketlerinin Coğrafi Veri İzni Alma Zorunluluğunda Önemli Değişiklikler

E-Ticarette Ürün Güvenliği İçin Yeni Kurallar!

Tüketicinin Korunması ve E-Ticaret Mevzuatlarında Yapılan Son Değişiklikler

Kamuda Enerji Performans Sözleşmesi Uygulaması

Ulusal Taşıt Tanıma Sistemi Uygulama Genel Tebliği Hakkında Bilgilendirme

LPG Piyasasında Birleşme ve Bölünme İşlemleri: Yasal Çerçeve ve Uygulamalar

CSRD ve CSDDD’nin Türk Şirketleri İçin Önemi

The Importance of CSRD and CSDDD for Turkish Companies

Avrupa Yeşil Mutabakatı Türkiye’yi Nasıl Etkiler? Taksonomi ve Sürdürülebilirlik Kavramları Çerçevesinde Değerlendirme

Takip Teknolojileri, Bankacılık Verisi, Pazarlama, Veri İhlali; DI-2021–5544 sayılı Avanza Bank Kararı

Kripto Varlıklara İlişkin Düzenlemeler Dur Durak Bilmiyor

Regulations on Crypto Assets Know No Bounds

Reasürans Sözleşmelerinden Doğan Uyuşmazlıklarda Reasürans Sigortacısının Esas İşyeri Mahkemesinin Yetkili Olduğuna Dair Karar

Nakdi Tazminat Kanun’unda yer alan “…ve Manevi…” İbarelerinin İptaline dair Anayasa Mahkemesi Kararı

2010 Öncesi Kazalarda PMF Tablosunun Kullanılması Gerektiği Hakkında Yargıtay Kararı

Can Reputation be Compensated under Turkish Trademark Law?

Küresel Rekabet için Türkiye'nin Fikri Mülkiyet Stratejisi

Recent Update on Well-known Trademark Protection in Türkiye

The BR International Trade Report: December 2024

The BR International Trade Report: November 2024

The BR International Trade Report: October 2024

İşveren Şirket Tarafından Çalışanlara Şirket Hissesi (Pay Senedi) Hediye Edilmesinin İş Hukuku Kapsamında Değerlendirilmesi

Yargıtay 9. Hukuk Dairesinin 27/06/2024 Tarihli ve 2024/7673 E., 2024/10230 K. Numaralı Kararı

Decision of the 9th Civil Chamber of the Supreme Court dated 27.06.2024 and case number 2024/7673, decision number 2024/10230

Evaluating Disparaging Practices against Competitors in the Pharmaceutical Sector: A Competition Law Perspective

Sosyal Güvenlik Kurumu İlaç Geri Ödeme Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

The Regulation Amending the Regulation on Drug Reimbursement of the Social Security Institution Has Been Published

Uzaktan İletişim Araçları Yoluyla Piyasaya Arz Edilen Ürünlerin Piyasa Gözetimi ve Denetimi Yönetmeliği Yayımlandı

Reklamlarda Kullanılan Görsellerdeki Telif Sorunu

Regulation on Market Surveillance and Inspection of Products Introduced to the Market via Remote Communication Tools

M&A İşlemlerinde Somut Olaya Göre Kurgulanmış Sözleşme Maddelerinin Giderek Artan Rolü

The Evolving Role of Tailored Clauses in M&A Transactions

Due Diligence Process for Turkish Companies – What to Watch Out for?

Kira Ödemelerini Tevsik Zorunluluğu Getiren Gelir Vergisi Genel Tebliği Yayımlandı

Konut Kira Artış Oranı Bilgilendirme Notu

General Communiqué on Income Tax about the Mandatory Documentation of Rent Payments Published

Konkordato

İcra İnkâr Tazminatında Borçlunun İtirazının Haksız Olması ve Likid Alacak Kavramları

Anonim Şirketlerde Önemli Miktardaki Varlığın Satışı ve İlgili Tartışmalı Konular

TEKMER (Teknoloji Geliştirme Merkezi) Nasıl Kurulur ve Girişimcilere Hangi Destekleri Sunar?

Ters Hak Ediş (Reverse Vesting) Nedir?

Köprüden Önce Son Çıkış: Önemli Olumsuz Değişiklik Maddesi (MAC Kloz)

İştirak Hissesi Satış Kazancına İlişkin İstisna Oranı Azaltıldı

Exemption Rate For Capital Gains Arising From Disposal of Participation Shares Has Been Reduced

Liman ve Hava Meydanlarında Verilen Hizmetlere ilişkin KDV Tebliğinde Değişiklik Yapıldı

2025 Cumhurbaşkanlığı Yıllık Programı Yayımlandı: Dijital Dönüşüm ve Sağlık Verileri Alanında Yeni Adımlar

2025 Presidential Annual Program Published: New Steps in Digital Transformation and Health Data

Tam Otonom Araçlar İçin Yeni Dönem: Tam Otonom Araçların Otonom Sürüş Sistemine İlişkin Motorlu Araçların Tip Onayı Hakkında Yönetmelik Yayımlandı

Limanlar Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

Regulation on Preventing Collision at Sea

Türkiye’de Deniz Kirliliği Cezalarına İlişkin Yeni Düzenleme

Yeni Yıl Yaklaşırken Hediye, Ağırlama ve Etik Denge

Gifts, Hospitality, and Ethical Balance as the New Year Approaches

Şeffaf Bir Dünya İçin: 9 Aralık Dünya Yolsuzlukla Mücadele Günü

First of its Kind: Cyber Resilience Act

Contents

Definition and Scope of the EU Cyber Resilience Act

What will be the Enforcement Sanctions?

Popular Articles on Technology & Telecoms

Latest Insights from Gökçe

Subscribe to our newsletter