Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
In the European Union, the rules for strengthening the security of connected devices have come into force.
The Cyber Resilience Act (CRA) requires product manufacturers to provide security support to consumers, such as updating software to address security vulnerabilities. Although the deadline to comply with the law’s key obligations is still three years away – December 11, 2027 – to give device manufacturers time to comply.
Legislation has been proposed a bit more than two years agowith the aim of increasing the security of devices such as smart watches, internet-connected toys and app-controlled home appliances.
The proliferation of connected devices has fueled concerns about increased hacking risks, with quasi-regular headlines about hacked baby monitors and children’s toys fueling concerns that profits are being put before consumer safety.
Pan-EU law imposes mandatory cybersecurity requirements on products with digital elements. The requirements apply throughout the life cycles of covered products, from design, development and operation. Distributors and retailers must also ensure that the products they supply or store comply with EU regulations.
The CRA applies broadly to devices connected directly or indirectly to other devices or networked products, excluding products covered by other existing EU regulations, such as medical devices, vehicles and some open source software. .
Devices can display EU CE mark Reporting compliance with the CRA. Regional consumers need to do less legwork to ensure they are getting a safer product if they pay attention to the CE mark.
block said he wants the law to “rebalance responsibility” for cybersecurity towards manufacturers, who must ensure that products with digital elements meet legal standards if they want to enter the EU market.
Penalties for not meeting the CRA’s standards will fall to supervisory authorities at Member State level, which are responsible for checking compliance. But the law states that breaches of “essential cyber security requirements” can result in fines of up to 2.5% of global annual turnover (or up to €15 million if greater). Violation of other requirements is subject to a fine of 2% (up to 10 million euros). Failure to respond correctly to regulatory inquiries carries a 1% (or €5 million) risk.
