On 10 October 2024, the European Council (Council) adopted the Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act “CRA”). The regulation was published in the Official Journal of the European Union on 20 November 2024 and will enter into force during December 2024. A transition period of 21 months will follow.
The CRA targets manufacturers, distributors and importers by regulating increased cybersecurity for products with digital elements (which include smartphones, laptops, password managers, smart home products with security functionality like smart door locks, security cameras or baby monitoring systems - any product that is directly or indirectly connected to a network, or another device) prior to them being put on the internal EU market, by reducing the hardware and software vulnerabilities throughout a product’s lifecycle.
Following the implementation of the CRA, existing CE marking (from the French, "conformité européenne") visible on hardware and software products will also demonstrate to consumers that the products comply with the CRA, enabling consumers to consciously consider cybersecurity.
Products are divided into classes depending on the cybersecurity risk of the products i.e. important or critical. Any product that isn’t classified as important or critical should still be compliant with the CRA. It’s up to the manufacturers, distributors and importers to ensure this.
The regulation focuses on various measures for manufacturers, distributors and importers to increase products’ cybersecurity:
Security updates
Security updates, which should be free of charge, need to download and install automatically. This must be ensured by designing and implementing a process prior to the product being put on the market, that allows the notification and distribution of the update, especially for consumer products. A user should also be able to opt out of automatic updates. Not all products with digital elements are expected to have automated updates i.e. the products are used in professional ICT networks, and especially in critical and industrial environments where an automatic update could cause interference with operation.
Support period
Once a product has been put on the market, manufacturers need to decide a support period which signals how long a consumer can expect the product to be in use. This needs to take into account the user’s expectations around the nature of the product among others. The general rule is that the support period is five years. A support period shorter than five years is allowed when the lifetime of the product is less than that. For products expected to have a long support period like routers and video-editing tools, manufacturers should provide one.
Single point of contact
A single point of contact should be provided to consumers to get in touch with the manufacturers, but also for reporting product vulnerabilities. This main point of contact can’t just be AI-generated, e.g. a website chatbot
Reporting vulnerabilities
Any exploited vulnerabilities or severe incidents impacting the products security requires the computer security incident response team (CSIRT) to be notified as the designated coordinator and the European Union Agency for Cybersecurity (ENISA).
Risks of non-compliance
If a company fails to comply with the CRA it risks a fine of 2.5 % of its total worldwide annual turnover, which could be a significant amount for companies in multiple markets
The objective of the regulation is to increase the cybersecurity for products with digital elements in the EU. Cybersecurity threat poses a risk to EU consumers using products with digital elements. However, regardless of the regulation, consumers will continue to play an important part in safeguarding security by reporting vulnerabilities and being informed about CE marking so they understand that it complies with the CRA.
