The European Union Council has officially adopted the Cyber Resilience Act (CRA) which will introduce EU-wide cybersecurity requirements for products with digital elements.
From smart doorbells and speakers to baby monitors, the regulation will apply to all products that are connected either directly or indirectly to another device or network.
The new regulation aims to fill the gaps, clarify the links and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example Internet of Things (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.
The CRA requirements will apply to the design, developments, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states.
Software and hardware products will bear the CE marking to indicate that they comply with the regulation's requirements.
CE is already used on many products traded in the European Economic Area (EEA) and it signifies that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.
This labelling will enable consumers to be better equipped to identify hardware and software products with the proper cybersecurity features.
There may be some exceptions to the requirements for devices for which cybersecurity requirements are already set out in other existing EU laws, such products include medical devices, aeronautical products and cards.
In the UK, a similar law, the Product Security and Telecommunications Infrastructure (PSTI) Act, came into force in April 2024.
Next Steps for the Cyber Resilience Act
Following the adoption of the legislation, the legislative act will be signed by the presidents of the Council and of the European Parliament and published in the EU’s official journal in the coming weeks.
The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage.