Spiegelung Gebäudefassaden Spiegelung Gebäudefassaden

Cyber Resilience Act: The EU Security Standard That Could Reshape the Swiss Market?

14.03.2025

Regulation (EU) 2024/2847 (Cyber Resilience Act or CRA) introduces, for the first time, a European legal framework establishing mandatory cybersecurity requirements for all products with digital elements placed on the EU market. The regulation sets minimum security standards for hardware, software, and remote data processing solutions, ensuring they are designed, developed, and maintained with appropriate cybersecurity features.

The regulation categorizes products into two risk levels:

  • Standard products, subject to basic security requirements

  • Critical products, divided into Class I and Class II, which must meet stricter certification obligations

Objective
The CRA addresses two key issues: the widespread vulnerabilities in digital products and the lack of user information, which hampers the ability to choose secure products. The regulation establishes specific requirements for vulnerability management, security monitoring, and CE compliance, thereby eliminating regulatory fragmentation among Member States.

Affected Stakeholders
The regulation applies to:

  • Manufacturers, importers, and distributors of products with digital elements (hardware and software)

  • Companies distributing digital products that are directly or indirectly connected to a network

  • Open-source software operators offering long-term support for free/open-source software with commercial applications

However, end users are also indirectly affected by this complex regulatory environment, as will be further discussed.


Key Milestones
Following its entry into force in December 2024, the regulation will be implemented in phases:

  • Notification of conformity assessment bodies: from 11 June 2026

  • Mandatory reporting of vulnerabilities and security incidents: from 11 September 2026

  • Full application of all requirements: from 11 December 2027

Non-compliance may result in penalties of up to €15 million or 2.5% of global annual turnover.


A Risk-Based Approach
The CRA follows a risk-based approach, setting stricter requirements for "important" and "critical" products that pose a higher cybersecurity risk. The regulation introduces a deep transformation in how digital products are designed, developed, and managed in terms of security—making compliance a strategic factor for companies operating in the EU market.


CRA and Switzerland: Specific Implications
Currently, Switzerland does not have a legal framework equivalent to the EU Cyber Resilience Act (CRA). The Swiss approach to cybersecurity is fragmented and sector-specific, with targeted rules for certain domains but no horizontal regulation defining minimum security requirements for all products with digital elements.

Nonetheless, Swiss companies exporting digital products to the European Union are subject to the CRA and must ensure compliance to access the single market.

At the national level, the National Strategy for the Protection of Switzerland against Cyber Risks (NCS) provides general guidance to strengthen cyber resilience but does not impose specific regulatory obligations on hardware and software manufacturers.

Some regulated sectors, such as finance, already follow cybersecurity practices mandated by FINMA (Swiss Financial Market Supervisory Authority), but these are not fully aligned with the CRA’s requirements.

It is likely that Switzerland will, in the future, adopt harmonized regulations aligned with the EU to reduce trade barriers and facilitate Swiss companies’ access to the European market, as has been the case with other technical standards.

Core Requirements of the CRA
The Cyber Resilience Act introduces a series of core requirements that radically reshape the approach to digital product security in the European market:


Security by Design and Vulnerability Management:

  • Obligations for manufacturers to integrate security during the design and development phases

  • Products placed on the market must not contain known exploitable vulnerabilities

  • Provision of security updates throughout the entire support period (minimum 5 years)

  • Secure configuration as the default setting

  • Structured system for vulnerability management and documentation, including a Software Bill of Materials (SBOM)


Conformity Assessment Procedures:

  • Self-certification (internal control) for standard products

  • Assessment by notified bodies for “important” and “critical” products

  • Complete technical documentation to demonstrate conformity


Mandatory Reporting Requirements:

  • Reporting within 24 hours of actively exploited vulnerabilities

  • Notification of severe security incidents to the relevant national CSIRTs (Computer Security Incident Response Teams)

  • User notification regarding vulnerabilities, updates, and end-of-support timelines

  • Implementation of coordinated vulnerability disclosure policies


Additionally, the CRA represents a central and complementary pillar in the EU’s cybersecurity legal framework by integrating with existing sector-specific regulations and reinforcing the minimum security standards for digital products..

CRA Main Requirements
The Cyber Resilience Act introduces a set of core requirements that radically reshape the approach to digital product security in the European market:


Security by Design and Vulnerability Management:

  • Manufacturers must embed security during the design and development phases

  • Products placed on the market must not contain known, exploitable vulnerabilities

  • Security updates must be provided throughout the support period (minimum 5 years)

  • Secure configuration by default

  • Structured system for managing and documenting vulnerabilities, including a Software Bill of Materials (SBOM)


Conformity Assessment Procedures:

  • Self-certification for standard products

  • Third-party assessment by notified bodies for "important" and "critical" products

  • Complete technical documentation proving compliance


Reporting Obligations:

  • Report actively exploited vulnerabilities within 24 hours

  • Report serious security incidents to relevant national CSIRTs

  • Notify users of vulnerabilities, updates, and end of support

  • Implement coordinated vulnerability disclosure policies

The CRA is a central and complementary element of the EU cybersecurity legal framework, integrating with sector-specific regulations and strengthening minimum digital product security standards.


What Does It Mean for Your Company?
The CRA brings tangible benefits to end users:

  • More secure and reliable digital products

  • Greater transparency on security features and support periods

  • Free security updates for at least five years

  • Clear lifecycle and support-end information

However, critical issues remain, particularly the continued use of legacy systems due to:

  • high replacement costs

  • functional dependencies

  • proven reliability

  • internal expertise requirements

  • migration-related operational risks

  • regulatory compliance constraints

In smart building contexts, it's especially relevant that hardware and IoT devices often exceed the 5-year support lifecycle required by the CRA, creating a compliance and security grey area.

Although the CRA does not impose direct penalties on end users who continue using products beyond the mandatory support period, failure to update or replace such products could be considered negligence in other legal contexts.

For instance, in a cyber incident or data breach, regulators (e.g., GDPR, which allows fines of up to €20 million or 4% of global annual turnover) may reference the CRA as a standard when assessing corporate diligence.
They may argue that the company, despite being aware of the end-of-support risks, did not implement adequate preventive measures.


Recommended Actions:

  • Conduct a detailed gap analysis of digital products

  • Develop risk mitigation strategies

  • Pre-document risk analysis, implemented safeguards, and segmentation of critical legacy systems

Note that EU sanctions are administrative in nature and do not offer direct compensation to affected parties, who must pursue legal action independently.

Authorities can issue sanctions based on technical assessments, which may sometimes be incomplete or scientifically debatable. Only afterward can companies appeal before the competent judicial authority, which will review procedural aspects and sanction proportionality, but may not carry out a deep technical review.

In other words, the burden of proof shifts to the company, which must demonstrate that the legacy system or IoT component did not contribute to the incident, or that effective compensatory measures were in place.
This means companies must prove they acted with due diligence, rather than the authority proving negligence.