EU Approves Cyber Resilience Act for Connected Devices

October 10th, 2024

The European Union Council has formally approved the Cyber Resilience Act (CRA), introducing EU-wide cybersecurity requirements for digital products.

This new regulation covers all connected devices, from smart doorbells and speakers to baby monitors, whether they are directly or indirectly linked to another device or network.

The CRA aims to address cybersecurity gaps, create clearer connections between existing laws, and streamline the EU’s cybersecurity framework. It ensures that products with digital components, like Internet of Things (IoT) devices, remain secure throughout their lifecycle and across the supply chain.

The regulation applies to the design, development, production, and market availability of hardware and software products, preventing conflicting requirements from different EU member state laws. Products that comply with the CRA will bear the CE marking, indicating they meet high standards for safety, health, and cybersecurity in the European Economic Area (EEA). This familiar label will help consumers easily identify secure hardware and software.

Certain devices, such as medical equipment, aeronautical products, and payment cards, may be exempt if existing EU laws already regulate their cybersecurity.

The UK enacted a similar law, the Product Security and Telecommunications Infrastructure (PSTI) Act, in April 2024.

To learn more on how to comply, be sure to download the guide below: