CybersecurityThe European Union has adopted the Cyber Resilience Act (CRA), a new cybersecurity regulation for digital products. Proposed in 2022, the CRA was driven by growing concerns over cyberattacks on hardware and software devices, which caused an estimated €5.5 trillion in global damages by 2021. The Act aims to ensure manufacturers build security into products from the start, thereby protecting consumers and businesses from cyber threats in the digital age.
Background
Cyberattacks on critical infrastructure and industrial systems have highlighted the need for stronger cybersecurity rules in the EU. As more industrial equipment, household gadgets, and Internet of Things (IoT) devices come online, security vulnerabilities have multiplied. Consumers have increasingly fallen victim to hacks exploiting weaknesses in everyday smart devices. Cyber incidents can cause severe economic and social disruption and even endanger lives, underscoring the urgency for action.
Prior to the CRA, many digital products had minimal cybersecurity safeguards. Widespread vulnerabilities often went unpatched as manufacturers failed to provide consistent security updates. At the same time, users lacked sufficient information to assess or configure the security of the devices they used. Moreover, most hardware and software products were not subject to any EU-wide cybersecurity regulation, creating a gap in protection where companies had little incentive to prioritize security. The Cyber Resilience Act was introduced to address these issues by setting uniform cybersecurity standards for all digital products in the EU market.
Goals
The Cyber Resilience Act is designed to improve the cyber resilience of Europe’s digital ecosystem. Specifically, it has two main objectives:
- Create conditions for developing secure digital products – ensuring hardware and software placed on the market have fewer vulnerabilities, and that manufacturers prioritize security throughout the product lifecycle.
- Enable users (both consumers and businesses) to factor cybersecurity into their decisions when selecting and using products with digital elements.
In addition, the Act outlines four specific objectives to support these goals:
- Ensure manufacturers improve product security from the design and development phase through the product’s entire lifespan (secure by design and secure by default).
- Establish a coherent cybersecurity framework that makes it easier for hardware and software producers to comply with requirements.
- Enhance the transparency of cybersecurity features of digital products (so users can be informed about a product’s security level).
- Enable businesses and consumers to use digital products securely.
Implications for Tech Companies
The CRA has far-reaching implications for tech companies. The regulation covers nearly all products with digital elements sold in the EU single market – from computer hardware and software to IoT devices like smartwatches and smart home appliances, and even network-connected critical infrastructure systems in energy, transport, healthcare, and finance. With such a broad scope, the law applies to manufacturers, suppliers, importers, and distributors of any tech product containing digital components in the EU.
The Act significantly shifts cybersecurity responsibility onto manufacturers. Companies must ensure their products meet the new security requirements before entering the market. Manufacturers are required to perform cyber risk assessments, issue an EU declaration of conformity, and cooperate with authorities to demonstrate compliance. Importers and distributors likewise must verify that the products they trade conform to the CRA’s security standards.
Moreover, manufacturers must implement processes for handling vulnerabilities throughout a product’s lifecycle. They are expected to address any discovered security flaws via updates and to report serious cyber incidents within 24 hours to the relevant EU authorities. The CRA also emphasizes transparency: users will receive clearer information about a product’s cybersecurity properties, allowing them to make more informed purchase decisions. EU regulators will conduct market surveillance to enforce these rules and ensure industry compliance.
Companies are given a transition period to adapt to the new rules. Once the CRA comes into force, manufacturers will have about two years to meet the new security requirements, and one year to comply with vulnerability and incident reporting obligations. Non-compliance will carry heavy penalties:
- Up to €15 million or 2.5% of global annual turnover (whichever is higher) for failing to meet cybersecurity requirements.
- Up to €10 million or 2% of worldwide turnover for lesser violations (such as failing to report incidents properly).
These steep penalties underscore the EU’s seriousness in enforcing the CRA.
Cybersecurity and Consumers
For consumers, the CRA promises safer digital products. Everyday devices – from phones, computers, and smart home gadgets to internet-connected toys – will have to meet minimum security standards before they can be sold. Manufacturers must fix vulnerabilities and provide regular security updates, reducing the risk of hacks, malware, and data breaches. Overall, the Act protects consumers and businesses from products with inadequate security features.
The CRA also empowers users with better information. Companies will need to be more transparent about the security aspects of their products, for example, through labels or documentation that detail a product’s protection level. This allows consumers to take cybersecurity into account when choosing products. Shoppers will find it easier to identify products that have proper security features and meet the standards. This move is expected to drive manufacturers to compete on security, thereby raising the bar for user protection across the board.
Impact on Businesses and the Tech Industry
In the short term, tech firms in Europe will need to invest in compliance – adjusting product development processes, training staff, and possibly redesigning products to meet the CRA’s requirements. This could increase costs and complexity, especially for startups and small businesses. However, in the long term, a unified security standard creates a more level playing field for companies. Cybersecurity becomes a baseline expectation for all products, which can increase consumer trust in technology.
Investing in better security may also save companies from the huge costs of cyber incidents – indeed, the CRA’s mandatory vulnerability management is estimated to save European companies and consumers billions of euros by preventing cyberattacks in supply chains.
Global Influence
Globally, the Cyber Resilience Act is poised to elevate cybersecurity standards worldwide. As the first law of its kind to comprehensively regulate digital product security, the CRA establishes the EU as a leader in cybersecurity regulation. It is even said that this law could “change the rules of the game” globally in terms of product security governance.
Tech companies outside Europe that wish to access the EU market will have to abide by the CRA, potentially adopting similar practices in their operations around the world. It’s also likely that other countries or regions will follow the EU’s lead by introducing similar regulations to protect their consumers and critical systems from cyber threats.
Conclusion
The Cyber Resilience Act underscores that cybersecurity is now a fundamental requirement in the digital product landscape. This regulation is expected not only to shield European consumers and businesses from cyber threats, but also to drive higher security standards globally for a safer digital ecosystem.