EU Cyber Resilience Act — Guide for General Counsel

The CRA imposes obligations on the 'manufacturer' as a legal entity, meaning liability attaches at the corporate level. General Counsel must advise the board on the scope of that liability: administrative fines of up to €15 million or 2.5% of global annual turnover for most non-conformities, and up to €20 million or 4% for providing incorrect, incomplete, or misleading information to conformity assessment bodies or market surveillance authorities. These penalties are imposed by national market surveillance authorities, with appeals routed through national administrative or judicial processes. Beyond regulatory penalties, the updated EU Product Liability Directive — which entered into force alongside the CRA — enables economic operators to be held civilly liable for damage caused by defective products, including defective software. The CRA and the Product Liability Directive interact: a product that is non-conformant with the CRA's security requirements is more readily characterised as 'defective' under the Directive.

Article 23 requires manufacturers to draw up an EU Declaration of Conformity (DoC) for each product, confirming that it meets the CRA's requirements. The DoC must be signed by the manufacturer or their authorised representative and must reference the conformity assessment procedure used. Annex V specifies the mandatory content: manufacturer identity, product description, applicable EU legislation, a reference to harmonised standards relied upon (if any), and the place and date of issue. For manufacturers not established in the EU, Article 23 requires appointment of an EU Authorised Representative before placing the product on the market. The Authorised Representative agreement must be in writing, must specify the products covered, and must grant the Representative authority to cooperate with market surveillance authorities on the manufacturer's behalf. The Representative holds a copy of the technical file and the DoC and must make them available to NCAs within defined timeframes.

National competent authorities have broad investigative and enforcement powers under the CRA. They may request access to the technical file and DoC, conduct product evaluations, issue requests for corrective action, restrict product sales, or initiate product recalls. General Counsel should prepare the organisation for NCA engagement before it occurs. This means: ensuring the technical file is retrievable and audit-ready within the response window that will be specified in any NCA notice; establishing a designated legal contact for NCA correspondence; preparing a template NCA response protocol that involves legal, regulatory affairs, and the relevant technical teams; and identifying external regulatory counsel experienced in CRA enforcement in each key Member State market. Where an NCA identifies a potential non-conformity, early engagement and a credible corrective action plan will significantly reduce the risk of formal penalties.

The Directive on Liability for Defective Products (the updated Product Liability Directive, which replaced the 1985 Directive) extends liability to software and includes provisions specifically relevant to CRA non-conformity. Under the updated Directive, a product is 'defective' if it does not provide the safety that the public is entitled to expect — and products that fail to meet the CRA's Annex I security requirements are likely to be characterised as defective where that failure causes harm. The Directive reverses the burden of proof in certain circumstances and introduces disclosure obligations that require manufacturers to provide claimants with relevant technical documentation. General Counsel should assess product liability exposure for each product line, confirm that commercial insurance covers CRA-related claims, and advise engineering and product teams on the liability implications of known-but-unpatched vulnerabilities left in released products.

Commission an internal legal review mapping each in-scope product against CRA obligations and identifying current gaps. Review commercial contracts with key suppliers to confirm CRA-relevant terms — SBOM delivery, vulnerability notification, audit rights — are present or must be added on renewal. If the company is not established in the EU, identify and contract with an EU Authorised Representative immediately. Review the DoC template for each product class and confirm it satisfies Annex V requirements. Assess whether existing product liability insurance adequately covers CRA-related claims and request insurer confirmation in writing. Brief the board on the penalty exposure and the legal instruments for mitigation. Establish a retention policy for technical file documents covering the required ten-year period after last placement on the market.