The Council approved new legislation on cybersecurity requirements for products with digital components, aimed at ensuring the safety of items like connected home cameras, refrigerators, TVs, and toys before they are introduced to the market (Cyber Resilience Act), on 10th Oct 2024.
The new legislation, targeting manufacturers, distributors, and importers of hardware and software, seeks to enhance the security of digital products across Europe.
The Cyber Resilience Act will ensure:
- Harmonized regulations for introducing products or software with digital components to the market.
- A requirement to maintain responsibility for the entire lifecycle of these products.
- Companies that fail to comply may face fines of up to 2.5% of their global revenue.
- Companies that fail to comply may face fines of up to 2.5% of their global revenue. Non-commercial open-source software will be exempt from these regulations, as it is typically developed for non-profit purposes.
Software and hardware products will feature the CE marking to show their compliance with the regulation’s standards. The letters “CE” are found on numerous products sold in the extended single market of the European Economic Area (EEA). This marking indicates that products available in the EEA have been evaluated to meet stringent safety, health, and environmental protection criteria.
It will be applicable to all products that are connected directly or indirectly to another device or network, with certain exceptions, such as open-source software or services already governed by existing regulations, including medical devices, aviation, and automobiles.
The CRA will take effect in 2025, requiring companies to treat cybersecurity as a fundamental aspect of their product development instead of a secondary concern. A 24-month transition period will be implemented to allow for the adjustment of products and processes to meet the new requirements.
