Key Takeaways
The European Union’s Cyber Resilience Act (CRA) officially entered into force on Dec. 10, kickstarting a new era in EU cybersecurity regulation.
The legislation aims to address growing concerns over vulnerabilities in internet-connected devices and strengthen the overall cybersecurity posture of the EU market.
Smart device manufacturers and suppliers are now under increased scrutiny and face substantial fines if they fail to meet the new standards.
The Cyber Resilience Act is designed to enhance the security of smart devices and digital products. The act establishes clear cybersecurity requirements for manufacturers, importers, and distributors, aiming to minimize risks associated with the use of connected technologies.
Responding to the security and privacy threats posed by the growing array of devices with an internet connection, the CRA’s principles center on transparency, accountability, and proactive risk management.
It mandates that all connected devices, from smart home appliances to industrial systems, meet stringent cybersecurity standards before being introduced to the EU market.
Under the Cyber Resilience Act, device manufacturers that sell in the EU must adhere to a set of detailed cybersecurity rules throughout the product lifecycle. These requirements include:
The Cyber Resilience Act imposes severe penalties for companies that fail to comply with its requirements.
Noncompliant manufacturers face fines of up to €15 million or 2.5% of their global annual turnover, whichever is higher. The fines are structured to serve as a deterrent and reflect the potential harm caused by insecure devices.
Beyond financial penalties, noncompliant products may be withdrawn from the market.