The Council of the European Union recently approved the Cyber Resilience Act (CRA), which aims to set new, binding cybersecurity standards for digital products sold across the EU, including hardware, software, and devices connected to the Internet of Things (IoT). This groundbreaking legislation introduces mandatory cybersecurity measures, requiring manufacturers, importers, and distributors to ensure the security of their digital products throughout their lifecycle. With cybersecurity threats escalating, this regulation will mark a significant shift in how companies prioritize security, from the design stage to ongoing maintenance, aiming to protect both consumers and businesses across Europe.
The CRA applies to a wide range of products, from software to IoT devices such as webcams and smart TVs, requiring that these products meet stringent security standards before being sold in the EU. As part of the Act’s key provisions, manufacturers will be held accountable for ensuring that their products remain secure, with mandatory security updates and requirements to report vulnerabilities promptly.
One notable aspect of the CRA is its balance between cybersecurity needs and the promotion of innovation. The law includes a 24-month transition period to allow companies time to adapt to the new requirements. Additionally, the CRA acknowledges the contributions of the open-source community, exempting non-commercial open-source software from these regulations since such projects are typically developed on a non-profit basis. However, commercial products and services, even if based on open-source software, will still be required to comply.
Failure to adhere to the CRA’s requirements can result in severe penalties, with fines of up to 2.5% of global turnover for companies found to be in violation. These penalties aim to encourage businesses to embed cybersecurity into their product development processes, ensuring that cybersecurity is not treated as an afterthought but as an integral part of product design and ongoing operations. The Act’s enforcement will begin in 2025, by which time businesses will be expected to have fully integrated the new standards into their operations.
The CRA builds on existing EU regulations, like the General Data Protection Regulation (GDPR), but extends the focus from data privacy to the broader security of digital products. As the digital landscape continues to evolve with the proliferation of connected devices, this law aims to create a more secure environment for consumers, businesses, and critical infrastructure.
The Netherlands played a pivotal role in advocating for the Cyber Resilience Act, recognizing the need to protect digital security while fostering technological innovation. As cyberattacks become more frequent and sophisticated, this law will ensure that digital products sold in the EU are equipped to withstand these threats, protecting not only users’ data but also the integrity of the devices themselves.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
