The European Union’s Cyber Resilience Act Comes into Force: New Rules for Digital Security

On December 10, 2024, the Cyber Resilience Act (CRA) officially came into effect throughout the European Union, marking a milestone in protecting consumers and businesses against cyber threats. This innovative legislation establishes a set of mandatory cybersecurity requirements for digital products and services, ranging from smart appliances to connected software, aiming to create a safer and more resilient digital space.

The Cyber Resilience Act responds to the increasing risks in an increasingly digitalized world, where devices such as smartwatches, security cameras, and industrial control systems are ubiquitous in homes and businesses. With this measure, the European Union strengthens its leadership in digital security, imposing a robust regulatory framework that aims to significantly reduce vulnerabilities of digital products in the European market.

What is the Cyber Resilience Act and what does it regulate?

The Cyber Resilience Act is the first legislation in the European context that establishes mandatory cybersecurity requirements for products with digital components. This legal framework covers both hardware and software and places special emphasis on protecting consumers from risks arising from the lack of security in digital products.

The main goals of the CRA include:

• Improving the security of digital products.
• Increasing transparency. Consumers will be able to easily identify products that meet security standards through CE marking.
• Ensuring security updates. Manufacturers will be required to provide support and updates to address vulnerabilities throughout the product’s lifecycle.
• Redistributing responsibility towards manufacturers. Companies must ensure that their products meet the requirements before they are marketed.

The CE marking will become a key indicator for consumers, signaling that a product meets the cybersecurity standards established by the CRA. This will simplify purchasing decisions and reinforce trust in the digital products available in the EU market.

Who is affected by this legislation?

The Cyber Resilience Act has a broad scope and affects both manufacturers and distributors of products with digital components marketed in the European Union. Among the main sectors impacted are:

• IoT Products (Internet of Things): Connected appliances, security cameras, smartwatches, and other devices used in homes and offices.
• Commercial and consumer software: Applications that collect data or interact with other devices.
• Industrial sectors: Control systems in factories, industrial sensors, and connected management solutions.

Additionally, the regulation includes specific measures for critical products, which will be required to undergo additional cybersecurity assessment by third parties before being placed on the market.

However, the CRA does not apply to certain products already regulated by other laws, such as medical devices, aviation systems, or automobiles. It also does not affect open-source software, unless it is marketed in a professional context.

Responsibilities for manufacturers and distributors

The CRA establishes a clear framework of responsibilities for manufacturers and distributors. Among the most notable obligations are:

1. Secure design: Ensure that products are secure from the design stage, with integrated security controls.
2. Mandatory updates: Provide software updates to address vulnerabilities throughout the product’s lifecycle.
3. Security assessments: Subject certain critical products to cybersecurity testing conducted by authorized bodies.
4. Transparent information: Manufacturers must provide clear documentation explaining the cybersecurity features of their products.

These measures will require manufacturers to adopt a proactive approach to security, ensuring that cyber risks are mitigated from the outset. At the same time, consumers can trust that products marked with the CE conform to the highest cybersecurity standards.

Impact on consumers

One of the main beneficiaries of the CRA will be European consumers, who will have greater protection against cyber risks arising from insecure products. Thanks to the CE marking, consumers will be able to quickly identify which products meet EU safety standards.

Moreover, the regulation addresses common issues faced by consumers, such as the lack of security updates for older devices. By requiring manufacturers to maintain support throughout the product’s lifecycle, consumers will be better protected against potential long-term vulnerabilities.

The CRA also facilitates the setup process for digital products, ensuring that users can adopt secure practices from the moment of installation. This will be especially useful for IoT devices, which often have complex security configurations.

Relationship with the NIS2 Directive and other cybersecurity strategies

The CRA complements other European Union initiatives aimed at strengthening cybersecurity, particularly the NIS2 Directive, which came into effect in 2023. While the CRA focuses on the security of digital products, the NIS2 Directive establishes a framework to improve the resilience of critical sectors, such as energy, transportation, and healthcare.

Both regulations are part of the EU Cybersecurity Strategy 2020, which aims to build a safer and more trustworthy digital environment. These measures seek to ensure that Europe is prepared to face the growing cyber threats in an increasingly connected world.

Key dates: a transition period until 2027

Although the CRA came into effect on December 10, 2024, the main obligations will not apply until December 11, 2027. This transition period will allow manufacturers and distributors to adapt to the new cybersecurity requirements.

During this time, the European Commission will have the support of the Cyber Resilience Expert Group, which will advise on the implementation of the regulation and ensure its proper application across all Member States.

Challenges and opportunities for businesses

The CRA represents both a challenge and an opportunity for businesses. On one hand, manufacturers will need to invest in new technologies and processes to comply with cybersecurity requirements. This may involve additional costs in terms of development and assessment.

On the other hand, the regulation presents an opportunity to differentiate in the market. Products that comply with the CRA requirements will have a competitive advantage, as consumers will be more willing to trust them. Additionally, by reducing the risk of cybersecurity incidents, companies can avoid potential costs related to data breaches or loss of consumer trust.

The importance of cyber resilience in a connected world

At a time when the Internet of Things (IoT) and connected technologies are transforming how we live and work, cyber resilience has become an essential requirement. Digital devices are becoming increasingly sophisticated, but also more vulnerable to cyberattacks. This poses risks not only for consumers but also for businesses and critical infrastructures.

The CRA addresses these concerns comprehensively, ensuring that security is a priority in the design, development, and maintenance of digital products. This is especially crucial in sectors like healthcare, where a security breach could have serious consequences.

Towards a safer and more connected future

The Cyber Resilience Act marks a significant step towards a safer digital space in Europe. By establishing mandatory cybersecurity requirements, the regulation not only protects consumers but also reinforces trust in digital products and promotes innovation in the technological field.

As Henna Virkkunen, Executive Vice-President of the European Commission, stated: “We are committed to making Europe a safe place for citizens and businesses. This regulation represents a significant step forward in ensuring that digital products do not pose cyber risks to European consumers.”

With the CRA, the European Union is leading the way towards a more resilient digital future, where security is a priority for all actors in the digital ecosystem. The enactment of this regulation sends a clear message: in an increasingly connected world, cybersecurity is not optional, but essential.

Source: Digital Strategy Europe