On 10 October 2024, the Council of the European Union approved the Cyber Resilience Act (CRA). The new legislation, aimed at manufacturers, distributors and importers of hardware and software, aims to ensure that digital products in Europe become more secure. Both throughout the supply chain and throughout their lifecycle.
The new law sets binding cybersecurity requirements for digital products sold in the EU, such as software, webcams, smart TVs and other products that are part of the Internet of Things (IoT). This will ensure that consumers and businesses can safely use these digital products.
Key points CRA
This law was actively promoted by the Netherlands. The main focus was on striking a balance between the protection of digital security and the impact on innovation. The key points of the Cyber Resilience Act are:
- Mandatory cybersecurity requirements for digital products, such as software and IoT devices, from the design phase onwards.
- Making manufacturers, importers and distributors responsible for ensuring that products are and remain secure.
- Mandatory security updates and reporting of security vulnerabilities.
- Fines of up to 2.5% of global turnover for companies that fail to comply.
- Non-commercial open source software will be exempt from these rules as it is usually developed on a non-profit basis.
The CRA will come into effect in 2025 and will force companies to consider cybersecurity a core part of their product development, rather than a side issue. A 24-month transition period will be in place so that products and processes can be adapted to the new requirements.
