Rules for boosting the security of connected devices have entered into force in the European Union.
The Cyber Resilience Act (CRA) puts obligations on product makers to provide security support to consumers, such as by updating their software to fix security vulnerabilities. Although the deadline for compliance with the main obligations of the law is still three years out — December 11, 2027 — to allow device makers time to comply.
The legislation was proposed a little over two years ago, with the goal of amping up the security of devices such as smartwatches, internet-connected toys and home appliances that can be controlled by an app.
The proliferation of connected devices has led to worries over rising hacking risks, with quasi-regular headlines about hacked baby monitors and kids toys amping up concerns that profits were being put before consumer security.
The pan-E.U. law puts mandatory cybersecurity requirements on products with digital elements. Requirements apply throughout in-scope products’ lifecycles, from design, development, and operation. Distributors and retailers must also ensure the stuff that they supply or stock abides by the EU’s rules.
The CRA applies to connected devices broadly — meaning products that connect directly or indirectly to another device or network — with exceptions in the case of products that are covered by other existing E.U. rules, such as medical devices, cars, and some open-source software.
Devices can display the E.U.’s CE mark to communicate that they are abiding by the CRA. Regional consumers should then have less leg work to ensure they are purchasing a more secure product if they look out for the CE marking.
The bloc has said it wants the law to “rebalance responsibility” for cybersecurity towards manufacturers, who must ensure products with digital elements meet the legal standards if they wish to access the E.U. market.
Penalties for failing to meet the CRA’s standards will fall to Member State-level oversight bodies, which will be responsible for compliance checks. But the law states that breaches of “essential cybersecurity requirements” can risk fines of up to 2.5% of global annual turnover (or up to €15 million if greater). Breaches of other requirements risk fines of 2% (up to €10 million). Failure to respond properly to regulatory requests risks 1% (or €5 million).
