The Cyber Resilience Act (CRA), enacted on November 20, 2024, marks a significant milestone in the European Union’s efforts to bolster cyber security for connected products. As data protection professionals, it is crucial to comprehend the implications of this comprehensive EU regulation that sets horizontal cyber security requirements for a diverse range of products—from connected toys and smart TVs to complex industrial systems.
Core Objectives:
The CRA introduces minimum cyber security standards for products containing digital elements, addressing vulnerabilities throughout the entire product lifecycle. The regulation aligns with the European Commission’s initiative that began with its proposal on September 15, 2022, and was further shaped through extensive discussions with the EU Council and European Parliament. Belgium played an instrumental role in advocating for practical measures to reduce vulnerabilities efficiently.
Phased Implementation:
To ensure a smooth transition, the CRA stipulates a phased implementation over the next few years. Initially, manufacturers must report security incidents and vulnerabilities to authorities during a 21-month adjustment period beginning from the act’s publication. This stage aims to enhance transparency and expedite security updates. Subsequently, a full range of CRA requirements will become mandatory, including standard security measures and extensive market surveillance.
Compliance Standards:
All connected products entering the European market will be subject to a conformity assessment, regardless of the manufacturer’s location. Low-risk products may adhere to a simplified compliance process through self-declaration. In contrast, critical products will undergo a thorough evaluation by third-party auditors, known as conformity assessment bodies. This layered approach ensures that the varying levels of risk associated with connected products are adequately addressed.
Enhancing User Engagement:
A notable aspect of the CRA is the emphasis on user transparency. It mandates that manufacturers inform users about the duration of security support for their products. Additionally, the default settings for automatic security updates are expected to be implemented, significantly improving the resilience of connected devices against emerging threats.
For those deeply involved in data protection and privacy, the CRA represents a forward-thinking approach to mitigating risks in an increasingly interconnected world. By fostering an ecosystem of transparency and accountability, the act sets a robust framework that reinforces the integrity and security of digital products across the EU market.
Original source link: [Cyber Resilience Act News](https://ccb.belgium.be/nl/nieuws/cyber-resilience-act-cra-nieuwe-regels-maken-verbonden-producten-veiliger).