Poland: Are your products with digital elements resistant to cyberattacks?
7 ledna, 2025
This question is especially important if you are a hardware or software manufacturer, distributor, or plan to purchase such products. Cyber resilience guarantees will soon become the standard.
The dust has not yet settled after NIS2, eIDAS 2.0 and the AI Act, and CRA – the Cyber Resilience Act – a new regulation of the European Union – is already on the horizon. It’s supposed to make our digital world less „Oh no! We’ve been hacked,“ or more like, „Don’t worry, we’ve got it under control.“
What is CRA?
The European Cyber Resilience Act (CRA) is a regulation that sets out cybersecurity requirements for hardware and software with digital elements placed on the European Union market. This includes products that have a direct or indirect connection to the Internet – from simple IoT devices to advanced enterprise software.
Why is CRA needed?
According to the justification, digital hardware and software are one of the main avenues for successful cyberattacks. In an integrated environment, an incident in one product can affect the entire organization or the entire supply chain, often spreading beyond the boundaries of the internal market within minutes.
Under certain conditions, all products with digital components integrated or connected to a larger electronic information system can serve as a vector of attack.
The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the internal market.
The main reasons were indicated:
– Low cybersecurity of products with digital elements, reflected by widespread vulnerabilities and insufficient and inconsistent delivery of security updates to address them.
– Insufficient understanding and access to information by users, which prevents them from choosing products with appropriate cybersecurity properties or using them in a secure way.
Examples of products with digital elements:
– End devices: m.in. laptops, smartphones, sensors and cameras, smart robots, smart cards, smart speakers, routers, switches, industrial control systems.
– Software: firmware, operating systems, mobile apps, desktop apps, video games
– Components (both hardware and software): graphics cards, software libraries
Purpose of CRA regulation
– Reduce vulnerabilities in digital products during the design and development phases.
– Forcing manufacturers and vendors to be responsible for managing risks throughout the product life cycle.
– Increase consumer confidence by providing a safer digital environment.
Obligations of manufacturers and distributors
– Documentation: products must contain clear and understandable instructions in a language that the user understands, allowing for safe installation, operation and use.
– Product certification: Requirement to certify products in accordance with CRA regulations.
Penalties for non-compliance
The CRA takes enforcement seriously. Failure to comply with the CRA can result in fines of up to €15 million or 2.5% of global annual turnover – whichever is higher.
When will the CRA take effect?
The regulations will enter into force between April and June 2027. Manufacturers, importers and distributors will have 36 months to comply.
The obligation to report incidents will come into force earlier – after 21 months, i.e. in 2026.
It is worth analyzing your partners in the supply chain now and conducting security audits.
What steps should I take now?
Conduct a security risk assessment of your products and identify existing vulnerabilities.
Review your security practices and identify areas for improvement.
Incorporate security by design principles into your product development process.
For further information, contact:
Renata Warchoł-Lewicka, Partner
Gorazda, Świstuń, Wątroba i Partnerzy adwokaci i radcowie prawni, Kraków
e: renata.lewicka@gsw.com.pl
t: +48 12 4224459
#WLNadvocate #Poland #Krakow #law #legal #lawfirm #corporatelaw #ITlaw #technologylaw #AI #artificialintelligence #security #datasecurity #cybersecurity #cyberresilience
