The EU Commission’s proposal for a new Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component.
According to security experts, the Act will form a worldwide standard for connected devices and software that will impact far beyond the EU’s borders.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said:
“We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers.
When the regulation comes into force, software and products connected to the internet would be required to carry CE marking to indicate they comply with the new standards. Organisations will have 24 months in which to adapt to these new requirements.
Non-compliance could result in fines and an order that the product is withdrawn or recalled.
Thierry Breton, Commissioner for the Internal Market, said:
“When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”