The newly adopted cyber resilience act introduces comprehensive EU-wide cybersecurity regulations for connected products. Photo: Shutterstock

The newly adopted cyber resilience act introduces comprehensive EU-wide cybersecurity regulations for connected products. Photo: Shutterstock

The cyber resilience act, adopted on 10 October 2024, sets forth stringent cybersecurity requirements for hardware and software products, ensuring safety and compliance with a new CE marking system in the European Union.

The European Council a new law aimed at establishing cybersecurity requirements for products with digital elements on 10 October 2024, known as the cyber resilience act. This legislative initiative sought to ensure that products such as connected home cameras, fridges, televisions and toys met safety standards before entering the market. The new regulation aimed to address existing gaps, clarify connections and enhance the coherence of the existing cybersecurity legislative framework. Its overarching goal was to ensure that products incorporating digital components, particularly internet of things (IOT) products, maintained security throughout the supply chain and their entire lifecycle.

The cyber resilience act introduced comprehensive EU-wide cybersecurity requirements governing the design, development, production and market availability of hardware and software products. This measure aimed to eliminate overlapping requirements that had arisen from various pieces of legislation across EU member states. Notably, both software and hardware products were required to bear the European conformity (CE) marking, indicating compliance with the regulation’s stipulations. The ‘CE’ marking is widely recognised across products traded within the European Economic Area, signalling that these products had undergone assessment to meet high standards for safety, health and environmental protection.

Under the new regulation, all products that connect either directly or indirectly to another device or a network were encompassed. However, certain exceptions existed for products already subject to cybersecurity requirements under existing EU legislation. These exceptions included medical devices, aeronautical products and automobiles.

The cyber resilience act also provided consumers with the ability to consider cybersecurity when selecting and using products with digital elements. This consumer-centric approach aimed to facilitate the identification of hardware and software products that featured adequate cybersecurity protections.

The new regulation will take effect twenty days after its official publication and will be applicable from October 2027, although some provisions will come into effect at an earlier stage.

Related articles