The European Union has officially adopted the Cyber Resilience Act, a new law that establishes stringent cybersecurity requirements for products with digital components. This regulation aims to safeguard consumers and businesses by ensuring that a wide range of products—ranging from home cameras and fridges to televisions and toys—meet stringent cybersecurity standards before being placed on the market.
With the rapid growth of the Internet of Things (IoT) and connected devices, this law seeks to address critical gaps in the existing legislative framework and ensure that digital products across the EU are secure throughout their entire lifecycle.
A Comprehensive Approach to Cybersecurity
The Cyber Resilience Act was officially adopted by the Council of the European Union with the primary goal of ensuring that products with digital elements are safe and secure before reaching consumers. By introducing EU-wide cybersecurity requirements, the new law covers all aspects of the digital product lifecycle, from design and development to production and market availability. The new regulation targets both hardware and software products, aiming to streamline cybersecurity measures across member states and eliminate the confusion that arises from overlapping national laws.
One of the key features of the Cyber Resilience Act is the CE marking requirement, which will apply to products that meet the new cybersecurity standards. This well-known label, currently used to signify compliance with safety, health, and environmental regulations, will now also indicate that a product has met the EU’s rigorous cybersecurity requirements. The CE marking will be mandatory for all products traded within the European Economic Area (EEA) that are connected directly or indirectly to another device or a network.
This broad scope of coverage means that devices such as smart home appliances, IoT devices, and digital toys will be subjected to the same cybersecurity scrutiny, ensuring that consumers are better protected from the growing risk of cyberattacks. However, some exceptions will apply to specific product categories that already fall under existing EU rules, such as medical devices, aeronautical products, and cars, where cybersecurity requirements are already in place.
Empowering Consumers with Cybersecurity Insights
One of the key objectives of the Cyber Resilience Act is to empower consumers by making cybersecurity a central factor in their purchasing decisions. The regulation ensures that consumers can easily identify products that adhere to strict cybersecurity standards, making it easier for them to select safe and secure devices. By increasing transparency, the EU aims to build consumer trust in the digital market and mitigate risks such as data breaches, hacking, and unauthorized access to personal devices.
In the context of rising cybercrime and increasingly sophisticated cyber espionage attacks, the Cyber Resilience Act represents a proactive step toward protecting not only consumers but also the broader digital ecosystem.
Simplifying Cybersecurity Compliance for Businesses
For businesses operating within the EU, the Cyber Resilience Act provides much-needed clarity by consolidating cybersecurity requirements into a single, coherent legislative framework. By eliminating the confusion caused by varying national regulations, the law simplifies compliance for companies that design, develop, and manufacture digital products. The introduction of the CE marking for cybersecurity will serve as a clear indicator that products comply with EU standards, helping businesses avoid penalties and ensuring that their products can be traded freely within the EU’s single market.
Additionally, the act takes into account the entire supply chain, requiring manufacturers to consider cybersecurity risks not only in the final product but also throughout the various stages of production. This comprehensive approach ensures that vulnerabilities are addressed early, reducing the likelihood of exploits being introduced during the manufacturing process.
Next Steps for the Cyber Resilience Act
Now that the Cyber Resilience Act has been adopted by the Council, the legislative process is nearing its final stages. The act will soon be signed by the presidents of the Council and the European Parliament, and it is expected to be published in the EU’s official journal in the coming weeks. Following its publication, the regulation will come into force 20 days later.
However, businesses and consumers will have a transition period before the law fully takes effect. The Cyber Resilience Act will apply 36 months after its entry into force, giving companies ample time to adjust their practices and ensure compliance. Some provisions of the law will apply earlier, though, providing an incremental approach to its implementation.
The EU’s Cybersecurity Evolution
The Cyber Resilience Act is part of a broader push by the EU to enhance its cybersecurity framework in response to growing threats. First proposed by European Commission President Ursula von der Leyen in her State of the Union address in 2021, the act complements existing EU laws, including the NIS Directive (Network and Information Security), the NIS 2 Directive, and the EU Cybersecurity Act. Together, these legislative measures aim to create a robust and resilient digital ecosystem that can withstand the growing number of cyberattacks.
The Cyber Resilience Act also reflects the EU’s commitment to strengthening its cyber posture, as outlined in the Council conclusions from May 2022. Following extensive interinstitutional negotiations, a provisional agreement on the act was reached on 30 November 2023, signaling the EU’s determination to lead the charge in global cybersecurity efforts.