EU – Cyber Resilience Act: Council Adopts New Law on Security Requirements for Digital Products

This blog was originally posted on 22nd October, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY MICHELLE WALSH, SENIOR LEGAL TEAM LEADER, COMPLIANCE & RISKS

Introduction

The EU Council adopted a new law on cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market (Cyber Resilience Act). 

The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components, for example ‘Internet of Things’ (IoT) products, are made secure throughout the supply chain and throughout their lifecycle.

Key Elements of the New Regulation

The new law introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of hardware and software products, to avoid overlapping requirements stemming from different pieces of legislation in EU member states. For example, software and hardware products will bear the CE marking to indicate that they comply with the regulation’s requirements. The letters ‘CE’ appear on many products traded on the extended single market in the European Economic Area (EEA). They signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.

The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, for example medical devices, aeronautical products, and cars.

Finally, the new law will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.

Next Steps

Following adoption, the legislative act will be signed by the presidents of the Council and of the European Parliament and published in the EU’s Official Journal in the coming weeks. The new regulation will enter into force twenty days after this publication and will apply 36 months after its entry into force with some provisions to apply at an earlier stage.

Stay Ahead Of Regulatory Changes Like the Cyber Resilience Act

Want to stay ahead of regulatory developments like the EU’s Cyber Resilience Act?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Cybersecurity Compliance Decoded: Emerging Requirements Impacting Product Compliance

Stay ahead of the curve on the latest cybersecurity regulations impacting product compliance.

register now