On October 10, 2024, the European Union (EU) adopted a new law focused on cybersecurity, the Cyber Resilience Act (CRA). This regulation introduces stringent cybersecurity requirements for products with digital elements, ensuring that devices like smart home appliances, industrial systems, and other Internet-connected products are safe before they reach consumers. By addressing the existing cybersecurity challenges in the EU market, the CRA seeks to create a cohesive regulatory environment, strengthening the security of hardware and software products across the internal market.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU-wide law that sets cybersecurity standards for products with digital components, such as laptops, smartphones, connected home devices, and industrial systems. These products, which can be directly or indirectly connected to networks or other devices, are now required to meet uniform cybersecurity criteria before they are placed on the market. The new regulation covers both hardware and software products, including end-user devices, software libraries, and critical infrastructure components.
Before the CRA, cybersecurity laws across the EU were fragmented, leading to legal uncertainty for manufacturers and consumers. Different regulations applied in various member states, creating challenges for companies to ensure their products met all necessary security requirements. The CRA eliminates these inconsistencies by providing a unified framework for product safety and cybersecurity, which will benefit both businesses and consumers.
Read also : InfoCons , mentioned in the news portal Telecompaper : Ancom , InfoCons to provide digital services training for Romanian citizens
Key Elements of the CRA
The Cyber Resilience Act introduces several key provisions aimed at improving the security of digital products across the EU market. These include:
- Harmonized Cybersecurity Requirements
The CRA establishes uniform cybersecurity requirements for the design, development, and production of digital products. These requirements aim to ensure that cybersecurity is considered throughout the entire lifecycle of a product, from initial design to post-sale support. Manufacturers must ensure that products are secure by design and provide regular security updates to address vulnerabilities that may arise after a product is released.
- CE Marking for Cybersecurity Compliance
Products covered under the CRA must bear the CE marking, which signifies that they comply with EU safety, health, and environmental protection standards. The CE mark is already used for various products sold in the European Economic Area (EEA), and the CRA now extends this to cybersecurity compliance. By displaying the CE mark, manufacturers demonstrate that their products meet the cybersecurity requirements outlined in the CRA.
- Scope of Application
The CRA applies to all products that are connected to a network or another device, either directly or indirectly. However, some categories of products are excluded, as they are already subject to specific cybersecurity regulations. These include medical devices, aeronautical products, and automobiles, which are governed by their own sector-specific EU legislation.
- Consumer Empowerment
One of the Act’s major goals is to enhance transparency and empower consumers to make informed decisions regarding the cybersecurity features of the products they purchase. With uniform cybersecurity standards in place, consumers will have access to clearer information about a product’s security features, helping them choose hardware and software that meet their needs and security expectations.
- Cross-Border Considerations
In a connected world, a cybersecurity incident in one product can easily spread across borders. The CRA recognizes this challenge and seeks to address the cross-border dimension of cybersecurity risks. Products manufactured in one country may be used across the entire internal market, making it critical for cybersecurity standards to be consistent across all member states.
Read also : Preventive Actions by County Police Inspectorates in Romania to Combat Counterfeit Product Trade
Addressing Cybersecurity Challenges
The Cyber Resilience Act addresses two key problems in the digital market:
- Low Level of Cybersecurity in Digital Products
Many digital products are vulnerable to cyberattacks due to inadequate security measures. These vulnerabilities can result from poor design, lack of regular updates, or insufficient attention to cybersecurity during the product’s lifecycle. The CRA aims to mitigate these risks by imposing stringent cybersecurity requirements, ensuring that products are designed and developed with security in mind from the outset.
The Act also addresses the issue of inconsistent and infrequent security updates. Manufacturers will be required to provide regular updates to fix security vulnerabilities, reducing the likelihood of cyberattacks exploiting outdated software or hardware.
- Lack of Consumer Awareness
Consumers often lack the necessary information to evaluate the cybersecurity features of digital products. This makes it difficult for them to choose products that offer adequate protection against cyber threats. The CRA improves consumer awareness by requiring manufacturers to provide clear information about a product’s cybersecurity features. This transparency enables consumers to make informed decisions and use products more securely.
Examples of Products with Digital Elements
The CRA covers a wide range of digital products that are either integrated into or connected to larger electronic systems. These products can serve as entry points for cyberattacks if they are not adequately secured. Some examples of these products include:
End Devices:
- Laptops and smartphones
- Smart home devices (e.g., cameras, fridges)
- Smart robots and smart meters
- Routers and industrial control systems
- Smart speakers and switches
Software:
- Operating systems and firmware
- Mobile applications and desktop software
- Video games
Hardware and Software Components:
- Computer processing units (CPUs)
- Video cards
- Software libraries
These products, by their nature, are vulnerable to cyberattacks, which can compromise an entire network or system. By setting cybersecurity standards for these products, the CRA ensures that even components that might seem less critical are not neglected, reducing the overall attack surface for malicious actors.
Read also : Guide for Contact Lens Wearers: How to Protect Your Eyes
The CRA in the Context of EU Cybersecurity Legislation
The Cyber Resilience Act is a significant addition to the EU‘s cybersecurity framework. It complements existing laws such as the NIS Directive (Directive on the Security of Network and Information Systems), the NIS 2 Directive, and the EU Cybersecurity Act. Together, these laws form a comprehensive framework aimed at enhancing cybersecurity across the EU.
- NIS Directive and NIS 2 Directive
The NIS Directive, adopted in 2016, was the first piece of EU-wide legislation on cybersecurity. It focuses on improving the cybersecurity capabilities of critical infrastructure operators, such as energy providers, transport networks, and healthcare services. The NIS 2 Directive, which entered into force in 2023, expanded the scope of the original directive, covering a broader range of sectors and imposing stricter cybersecurity requirements.
While the NIS directives focus on critical infrastructure, the Cyber Resilience Act targets products with digital elements, ensuring that everyday consumer products, as well as components of industrial systems, are secure.
- EU Cybersecurity Act
The EU Cybersecurity Act, adopted in 2019, established the European Cybersecurity Certification Framework, which aims to ensure a common approach to cybersecurity certification across the EU. The Cyber Resilience Act complements this by introducing cybersecurity requirements for products with digital components, ensuring that these products meet the necessary security standards before being placed on the market.
The Journey of the Cyber Resilience Act: From Proposal to Adoption
The Cyber Resilience Act has been in the making since it was first announced by European Commission President Ursula von der Leyen in her State of the Union address in September 2021. This followed the Council conclusions of May 23, 2022, which called on the Commission to propose measures to strengthen the EU’s cybersecurity posture.
On September 15, 2022, the European Commission submitted the formal proposal for the CRA, which went through extensive interinstitutional negotiations, known as trilogues, between the European Parliament, the Council, and the Commission. After a provisional agreement was reached on November 30, 2023, the law was officially adopted on October 10, 2024.
Read also : Could Recycling Make a Difference? Why Is It Important to Make This a Habit?
What Happens Next?
Following the adoption of the Cyber Resilience Act, the legislative act will be signed by the presidents of the Council of the EU and the European Parliament and published in the EU‘s Official Journal. The regulation will enter into force 20 days after its publication and will apply 36 months after its entry into force, with some provisions taking effect earlier.
Timeline:
- October 2024: Adoption of the CRA
- 20 days later: Entry into force
- 36 months after the 20 days: Full application of the CRA
During this transition period, manufacturers and businesses must ensure that their products comply with the new cybersecurity requirements. Regulatory authorities will begin enforcing the CRA once the full implementation deadline is reached.
Conclusion: Strengthening Europe’s Cybersecurity Landscape
The Cyber Resilience Act represents a significant step forward in ensuring the security of digital products across the European Union. By harmonizing cybersecurity standards, the Act reduces the risks associated with vulnerabilities in connected devices and software, providing better protection for both consumers and businesses. Through the CRA, the EU aims to create a safer digital environment, where products are secure throughout their lifecycle, and consumers are empowered to make informed decisions about the products they use.
In an increasingly connected world, the Cyber Resilience Act is a vital tool in the EU’s efforts to mitigate cybersecurity risks and enhance the resilience of its digital ecosystem.
Source: Council of the European Union
InfoCons – European Organization for Consumer Protection and Promotion of Programs and Strategies , a full member of the World Organization Consumers International, founding member of the Federation of Consumer Associations, and member of ANEC .