EU Council launches Cyber Resilience Act
In the future, networked products that are placed on the market in the EU must be protected against attacks and bear the CE mark to indicate this.
The Council of the European Union adopted the Cyber Resilience Act (CRA) on Thursday. With the vote of the interior and justice ministers of the EU member states, the new regulations for more security for networked devices can come into force. The EU wants to ensure that devices connected to the network, from computers and coffee machines to baby monitors, are better protected against cyber attacks.
"Connected products make our everyday lives easier, but they can also be exploited by criminals. That's why they must be secure," said Federal Minister of the Interior Nancy Faeser (SPD). Consumers must be able to rely on the fact that networked devices in the home do not pose a security risk.
Obligations for manufacturers and retailers
The new regulation places obligations on manufacturers, importers and retailers. In future, products bearing the familiar CE mark must also be secured against IT attacks. In addition, manufacturers must report IT vulnerabilities and incidents to a central reporting office and provide regular security updates.
Manufacturers must ensure that "all products with digital elements" and a "logical or physical data connection" are "designed and developed in accordance with the essential cybersecurity requirements set out in the regulation". This applies to a broad portfolio of household appliances, computer hardware, consumer electronics, software and cloud solutions.
The principle of "security by design" is thus being incorporated into European technology law. In future, manufacturers will have to take responsibility for the cyber security of their products and applications throughout their entire life cycle, said BSI head Claudia Plattner. "This will benefit all users and ultimately also the manufacturers, as their products will be of higher quality and more secure."
Transition period of three years
As a regulation, the CRA is directly applicable and does not have to be transposed into national law by the member states. The Parliament already gave its approval in March before the Council. The regulation must now be signed by the Presidents of the Council and Parliament and then published in the Official Journal of the EU. This should take place in the coming weeks.
The regulation will enter into force 20 days after publication in the Official Journal. A transitional period of three years will then apply. This means that from around November 2027 at the latest, all products sold on the market will have to meet the new cybersecurity requirements and document this with a CE mark. Other obligations, including the obligation to report exploited IT vulnerabilities, will already apply in 21 months' time.
In future, consumers and companies will be able to "recognize at a glance that a networked device meets essential cybersecurity requirements by means of the familiar CE mark", said Faeser. "The tried-and-tested CE mark now also stands for security against cyber threats."
(vbr)