EU Enacts Cyber Resilience Legislation for Networked Gadgets
The European Union (EU) is set to introduce a new cybersecurity regulation, the Cyber Resilience Act (CRA), which aims to enhance the security of products with digital elements. The CRA, slated to be signed by the presidents of the Council and the European Parliament in the coming weeks, will be published in the EU's official journal and enter into force twenty days after its publication.
The CRA will make the existing cybersecurity legislative framework more coherent, filling gaps, clarifying links, and ensuring a more unified approach to digital product security across the EU. It will replace the various cybersecurity requirements from different pieces of legislation in EU member states, providing a single set of rules for manufacturers and importers.
The CRA will apply to a wide range of products, including Internet of Things (IoT) devices such as smart doorbells, speakers, and baby monitors. The regulation will also cover the entire lifecycle of these products, from design and development to production and making them available on the market.
To help consumers identify hardware and software products with the proper cybersecurity features, products compliant with the CRA will bear the CE marking. This marking signifies that products sold in the European Economic Area (EEA) have been assessed to meet high safety, health, and environmental protection requirements, and now, cybersecurity requirements as well.
However, there may be exceptions to the CRA requirements for certain products, such as medical devices, aeronautical products, and cards, where cybersecurity requirements are already set out in other existing EU laws.
The CRA requirements will not overlap with those from different pieces of legislation in EU member states, ensuring a harmonious and efficient implementation of the regulation. In the UK, a similar law, the Product Security and Telecommunications Infrastructure (PSTI) Act, came into force in April 2024.
Some provisions of the CRA will apply 36 months after its entry into force. The new regulation is expected to boost the cybersecurity of digital products, enhancing the protection of consumers' data and privacy, and contributing to the EU's digital sovereignty.
With the official adoption of the Cyber Resilience Act by the European Union Council, the EU is taking a significant step towards a more secure digital future. The CRA is expected to set a new global standard for digital product security, inspiring other regions to follow suit in ensuring the safety and security of their digital ecosystems.
