EU Cyber Resilience Act: Smart Device Makers Face €15M Fine for Noncompliance

Key Takeaways

• The EU’s Cyber Resilience Act entered into force on Dec. 10.
• The regulation introduced new security standards for internet-connected devices.
• Manufacturers that don’t comply with the rules could be fined up to €15 million or 2.5% of their global annual turnover.

The European Union’s Cyber Resilience Act (CRA) officially entered into force on Dec. 10, kickstarting a new era in EU cybersecurity regulation.

The legislation aims to address growing concerns over vulnerabilities in internet-connected devices and strengthen the overall cybersecurity posture of the EU market.

Smart device manufacturers and suppliers are now under increased scrutiny and face substantial fines if they fail to meet the new standards.

What Is the Cyber Resilience Act?

The Cyber Resilience Act is designed to enhance the security of smart devices and digital products. The act establishes clear cybersecurity requirements for manufacturers, importers, and distributors, aiming to minimize risks associated with the use of connected technologies.

Responding to the security and privacy threats posed by the growing array of devices with an internet connection, the CRA’s principles center on transparency, accountability, and proactive risk management.

It mandates that all connected devices, from smart home appliances to industrial systems, meet stringent cybersecurity standards before being introduced to the EU market.

Device Makers Subject to Cybersecurity Requirements

Under the Cyber Resilience Act, device manufacturers that sell in the EU must adhere to a set of detailed cybersecurity rules throughout the product lifecycle. These requirements include:

• Secure-by-Design Principles: Devices must be designed with built-in security measures to prevent unauthorized access and mitigate risks. Manufacturers are expected to integrate features like encryption, authentication protocols, and automatic updates.
• Vulnerability Reporting and Management: Companies are required to establish systems for identifying and addressing vulnerabilities. This includes providing a clear mechanism for users and researchers to report potential security issues.
• Transparency Obligations: Manufacturers must offer clear and accessible information about a product’s security features and limitations. This includes publishing details on how long the device will receive software updates and security patches.
• Ongoing Monitoring and Maintenance: Security responsibilities do not end at the point of sale. Manufacturers must ensure regular software updates and continue monitoring devices for emerging threats.

Penalties for Noncompliance

The Cyber Resilience Act imposes severe penalties for companies that fail to comply with its requirements.

Noncompliant manufacturers face fines of up to €15 million or 2.5% of their global annual turnover, whichever is higher. The fines are structured to serve as a deterrent and reflect the potential harm caused by insecure devices.

Beyond financial penalties, noncompliant products may be withdrawn from the market.