This week, the EU Cyber Resilience Act was published in the Official Journal of the EU.
This Act implements mandatory cyber security requirements for all hardware and software products sold in the EU with very limited exemptions. It aims to enhance the security of these products ensuring they are designed and developed with fewer vulnerabilities, marking a significant strengthening in the rules for manufacturers and software developers selling into the EU.
- Enhanced security standards: The Act mandates strict cyber security requirements for nearly all digital products, including household items like smart doorbells and security cameras. Products with known vulnerabilities will be banned from the EU market.
- Consumer protection: By regulating software and connected devices, the Act aims to protect personal and private data from being compromised, reducing the risk of homes being exposed to frequent hacking or scanning attacks.
- Strict enforcement and improvement: Non-compliance will result in hefty fines, encouraging manufacturers to assess and improve the security of their products, ultimately building greater consumer trust.
The publication of the Act means it will come into effect on 11th December 2024. Key implementation timelines include the adoption of technical specifications by December 2025, the enforcement of vulnerability reporting requirements by September 2026, and all remaining cyber security requirements becoming effective by December 2027.
Verona Johnstone-Hulse, UK Government Affairs & Global Institutions Engagement Lead at NCC Group, said:
“This is a landmark moment for cyber regulations, bringing virtually all digital products under the scope of strict security requirements for the first time. As the EU Cyber Resilience Act is implemented, roughly 600,000 products, including household items like smart doorbells and security cameras, will not be permitted to be sold on the EU market if they have known, exploitable vulnerabilities.
“Many of these devices pose real risks if they are left unregulated. Imagine living in a home which could be vulnerable to 12,000 hacking or scanning attacks a week? Our own research has shown that connected devices can leave homes exposed to vulnerabilities that attackers can then take advantage of, risking the loss of personal, private data.
“Tighter laws like the Cyber Resilience Act are crucial to ensuring digital safety across the products we use everyday. It looks like non-compliance will not be tolerated, with hefty fines awaiting rulebreakers, so it’s vital that manufacturers approach this Act carefully. It’s an opportunity to assess products on the market, recognise their vulnerabilities, and improve their security - which could go a long way in building consumer trust.”
Click here to find out more on how your organisation can prepare for the cyber resilience act: