The Cyber Resilience Act (CRA) and its Implications for UK Law Firms

The EU’s Cyber Resilience Act (CRA) makes it safer for consumers and businesses to purchase software and hardware products with a digital component.

To understand more about what this means for UK law firms, read on for an overview of what this law covers, how it relates to the UK, and its implications for law firms on data protection and client confidentiality.

What the Cyber Resilience Act Covers

Since it entered into force in November 2024, the CRA has set out to make the purchase of software and hardware products with a digital component more secure by requiring businesses to ensure products can ensure cybersecurity throughout their lifecycle.

The EU recognises that “products and software that contain a digital component are omnipresent in our daily lives”, prompting the creation and entry into force of a law that promotes cybersecurity and digital safety in this area.

Implications for UK Law Firms

Because the UK is no longer a part of the EU, this EU law does not automatically apply to the UK. In fact, the CRA can largely be considered the EU’s equivalent of the UK’s Product Security and Telecommunications Infrastructure regime, albeit a considerably more expansive and wide-ranging one.

Nevertheless, the CRA will have indirect implications for UK law firms. Law firms depend on software and online tools such as document management systems, cloud platforms, and legal tech. If these tools are made in or sold by the EU, they must comply with the CRA. This means UK law firms will likely end up using CRA-compliant tools, helping them to keep clients’ confidential information secure.

Practical Steps for Compliance

UK law firms that use technology that is made in or sold by the EU should ensure their technology providers are aware of these new requirements and acting on them. This due diligence should extend into procurement and contracting practices, where suppliers ought to be asked specific questions about their cyber resilience obligations. Building these considerations into supplier assessments and agreements will help firms ensure that the tools they rely on are compliant.

UK firms should also keep a close watch on developments in domestic legislation, including the proposed Cyber Security and Resilience Bill, which could introduce requirements that either mirror or differ from the EU’s approach.

Turning Compliance into a Strength

By using CRA-compliant software and platforms, law firms can strengthen their protection of sensitive client information, helping to win client confidence. However, this should not be automatically assumed. UK law firms should confirm with their technology providers how obligations around vulnerability management and incident reporting will be handled in practice. European clients, in particular, may want reassurance that their lawyers’ systems meet CRA-level standards.