Retour au blog
07/04/2025

Cyber Resilience Act: impacts on contract management

Article de blog :
Pierre M.
cyber resilience act contract management

The Cyber Resilience Act (or CRA) is a European regulation which forms part of the adoption by the European Union of a legislative framework which takes account of the cyber threat. This framework, already made up of directives (see the NIS 2 and the Critical Entity Resilience (CER) directives) and regulations (see DORA, the AI regulation and the Data regulation), is now reinforced by the CRA.

A. Cyber Resilience Act: Recap

i. Cyber Resilience Act: entry into force

The CRA came into force on December 10, 2025. The deadline for companies to comply is December 11, 2027, except for :

  • The communication of information incumbent on manufacturers, which will have to be effective from September 11, 2026;
  • The notification of conformity assessment bodies, which will have to be carried out from June 11, 2026.

ii. What is the scope of the Cyber Resilience Act ?

All economic players involved in the marketing and lifecycle of products with digital components, in particular:

  • Manufacturers of such products (whether or not they are placed on the market for a fee)
  • Software publishers
  • Importers of such products on the European market, when the manufacturer is based outside the EU
  • Distributors who make products available on the European market.

In terms of products, it should be noted that the CRA regulation makes a number of exclusions, notably :

  • Cloud and SaaS services (already covered by NIS 2);
  • Medical devices, aeronautical products and, more generally, any product that is already subject to specific regulations in this area.

Like many American and European texts, the CRA is extraterritorial in scope. This means that the players concerned, whether or not they are based in the EU, will have to comply with the ARC if they wish to place their products on the European market.

iii. What are the different product categories ?

The CRA regulation classifies products containing digital elements (“PENs”) according to their level of criticality. These are, in ascending order of criticality:

  • “Simple” PENs;
  • Free and open source software;
  • Class 1 and 2 PENs;
  • “Critical” PENs.

A wide range of products are concerned, including cameras, software, drones, connected objects, automation and other operating systems or platforms for managing large-scale systems.

iv. New obligations for companies?

The obligations applicable to economic operators differ depending on the level of criticality of the products. A certain degree of flexibility is allowed for products falling under Chapters 1 and 2 (see previous paragraph), as controls may be conducted internally or through external bodies.

In addition to these controls, cybersecurity requirements must be considered regardless of the classification of the products. These requirements relate both to the products themselves—which must be free from known vulnerabilities and include features to monitor such vulnerabilities—and to vulnerability management, as actors are expected to implement mechanisms for notification and alert in case of any vulnerability or incident.

In Essence, the CRA Defines Three Levels of Obligations:

  1. Cybersecurity by Design. Incorporating cybersecurity considerations at the product design stage. This may include data encryption, prohibition of weak passwords, and automated security updates.
  2. Vulnerability Management Throughout the Product Lifecycle. Ensuring transparency with consumers and continuous compliance.
  3. Monitoring and Risk Evaluation. Implementation of control mechanisms, risk assessments, and potentially obtaining certifications.

It is also important to note that the Cyber Resilience Act (CRA) works in conjunction with other regulations and directives (see the introduction of this article), and therefore does not comprehensively list all obligations that may apply to economic operators.

v. Sanctions

Sanctions under the CRA can reach up to €15 million or 2.5% of the total annual worldwide turnover—whichever is higher. Additionally, a product that fails to comply or is deemed to present a risk by the market surveillance authority may be subject to restrictive measures, up to and including full market withdrawal.

B. The Impact of the Cyber Resilience Act on Contract Management

Following the NIS2 regulation, which primarily targeted networks and information systems (and thus essential service operators and digital service providers), the CRA now focuses on the product value chain, bringing significant implications for contract management practices.

i. Initial assessment

The first and crucial step is conducting a comprehensive assessment:

  • Which products are affected?

  • Which parts of my organization’s value chain might be impacted?

Once this initial mapping is complete, organizations should analyze their contract portfolios to determine whether existing clauses provide sufficient flexibility or guarantee product compliance with current and future laws and regulations.

This also raises questions around the inclusion of open-source components in products—also subject to the CRA—and the broader issue of classifying products based on their level of criticality (see section a.iii above).

In short, this assessment phase will vary greatly depending on your business model.

ii. Drafting specific clauses

The CRA will also impact the content of both customer and supplier contracts.

Customer Contracts. New clauses will likely be needed to limit risk exposure, particularly in relation to innovative products or solutions that may require an exploratory phase. Clauses specifying documentation and deliverables will be beneficial—especially in light of potential documentation inflation driven by CRA compliance requirements.

Supplier Contracts. It will be important to include clauses ensuring CRA compliance, facilitating information sharing and allowing for audits. Specific clauses regarding incident management procedures or cybersecurity insurance coverage may also be valuable.

iii. Monitoring contract performance

Beyond drafting contracts, specific contract management actions can help ensure proper contract execution and compliance with the CRA.

On the supply chain side, this may involve:

  • Updating supplier control procedures

  • Reassessing supplier selection criteria

  • Conducting attack simulations to test both “cyber by design” development/maintenance practices and transparency/reporting mechanisms in case of vulnerability detection

On the customer commitment side, contract managers will need to ensure that all agreed documentation, reporting, and vulnerability disclosure obligations are properly followed. Special attention should be given to interfaces, especially when other lots or suppliers must provide input data. In such cases, the contract manager will need to monitor any missing, late, incomplete, or incorrect data submissions, which may lead to exemptions or deadline extensions.

Can the Cyber Resilience Act be a source of opportunities for contract managers? There’s only a small step from challenge to opportunity!

Prime Conseil
Contract management excellence for sustainable profitability
Call to action
Découvrir
Les articles récents
Faisons connaissance
Email
contact@primeconseil.com
Blog
Les articles récents
Voir tous les articles de blog
Contact
Faisons connaissance
Email
contact@primeconseil.com
Adresse
2, Parvis des Ecoles - 83000 Toulon
38, Rue Jean Bouchet - 86000 Poitiers
40, Rue du Colisée - 75008 Paris
Téléphone
04 12 33 31 01
Restez informé, inscrivez-vous !