EU's cybersecurity rules for smart devices now in effect
What's the story
The European Union's (EU) Cyber Resilience Act (CRA), a set of rules designed to improve the security of connected devices, are now in effect.
Under the CRA, manufacturers are required to provide security support to users, including software updates to fix potential vulnerabilities.
Manufacturers have been given time until December 11, 2027, to fully comply with these obligations.
Scope
CRA targets a wide range of connected devices
The CRA, which was announced more than two years ago, is designed to enhance the security of smartwatches, internet-connected toys, app-controlled home appliances, and other such devices.
The law applies widely to any product that can connect directly or indirectly to another device or network.
However, it doesn't cover products already regulated under existing EU laws like medical devices, cars, and some open-source software.
Obligations
CRA imposes mandatory cybersecurity requirements
The CRA mandates compulsory cybersecurity requirements on products with digital components, covering their entire lifecycles from design and development to operation.
Even distributors and retailers are required to ensure that their products adhere to these rules.
Devices meeting CRA standards can display EU's CE mark, indicating to consumers that they are buying a secure product.
Accountability
EU aims to shift cybersecurity responsibility to manufacturers
The EU wants the CRA to move the onus of cybersecurity toward manufacturers.
These companies would have to ensure that their products with digital components are compliant with the law if they want to enter the EU market.
Penalties for non-compliance would be imposed by member state-level oversight bodies, which would be tasked with conducting compliance checks under this new law.
Fines
Penalties for non-compliance
The CRA states that violations of "essential cybersecurity requirements" could lead to fines of up to 2.5% of global annual turnover or up to €15 million, whichever is higher.
Breaches of other requirements could lead to 2% (up to €10 million) fines, while failure to respond appropriately to regulatory requests could lead to a 1% (or €5 million) penalty.