The Cyber Resilience Act (CRA), established under EU Regulation 2024/2847, entered into force on December 10, 2024. It introduces comprehensive cybersecurity rules for manufacturers and developers of Products with Digital Elements (PDEs) available in the European Union market, complementing the already existing regulatory framework on cybersecurity and technology.
The regulation sets a phased implementation schedule to allow stakeholders, economic operators, and Member States to align with its requirements. Full compliance with all CRA obligations will become mandatory from December 11, 2027.
The CRA applies to all Products with Digital Elements (PDEs) available in the EU market. PDEs encompass both hardware and software products (including hardware or software components being placed on the market separately) capable of connecting, either directly or indirectly, to other devices or networks. The PDEs can be categorized into three main groups: devices, software, and components. Under devices, there are computing devices such as laptops, smartphones, mobile devices, smart and IoT devices, sensors and cameras, routers etc. In the software category, firmware, operating systems, mobile applications, desktop applications, and video games, etc. are included. Finally, the components category encompasses among others computer processing units (CPUs) and graphics cards, software libraries and more.
Regarding the Greek market, the CRA imposes various obligations on Greek manufacturers, importers, and distributors of PDEs, and on the Hellenic State as well.
To become available in the Greek market, PDEs must adhere to the CRA’s cybersecurity requirements and bear the CE marking, certifying compliance and enabling free circulation within the EU.
Greek manufacturers, particularly those producing IoT devices and software, must adopt “Security by Design” principles. These include secure configurations, risk assessments, vulnerability management, and security updates throughout the product lifecycle. Compliance not only ensures market access but also strengthens the legal framework for consumer protection by enhancing product safety and trust.
Taking into account the high volume of imported PDEs in Greece, it is critical that Greek Importers and distributors, as key players in the supply chain, verify that PDEs meet CRA requirements and are CE-marked. In addition, they are obligated to promptly notify manufacturers of any identified vulnerabilities or lack of compliance under the CRA. To meet these obligations, they must establish robust processes for supplier oversight, due diligence, and vulnerability detection.
The Hellenic State must designate its competent authority by June 11, 2026. The competent authority will have several enforcement powers, including imposing penalties on non-compliant entities, banning or recalling non-compliant products from the market, and monitoring market surveillance efforts to ensure ongoing compliance.
Non-compliance with CRA requirements can result in severe penalties, including fines of up to €15 million or 2.5% of annual turnover.
Harmonization with existing frameworks, such as the NIS2 Directive (National Law 2024/5160), will be essential to prevent overlaps as well.
Despite these challenges, CRA compliance provides Greek businesses with opportunities to strengthen their competitive position, access broader EU markets, and enhance products’ cybersecurity.
Fostering collaboration between legal and technical sectors will be essential to ensure Greece’s role as a secure and reliable provider of PDEs within the EU.
Edited by Michales Kamposos