At the end of 2024, the Regulation on Horizontal Requirements for Cybersecurity of Products with Digital Elements (or Cyber Resilience Act) entered into force.
In our daily lives, we come into contact with many products with digital elements, whether it’s a smartwatch or a baby monitor. But these products can pose a security risk. At the same time, it is often a challenge for users to determine which products are cyber-secure. The Cyber Resilience Act was passed to facilitate this process and make products more secure.
Objectives of the legislation
The Regulation regulates the cybersecurity of products with digital elements. The aim is to ensure that products are cybersecure throughout their life cycle. This is to increase transparency about the security of hardware and software and to minimise the risks associated with the use of products.
Product with digital elements
According to the Regulation, a digital product is a software or hardware product and its remote data processing solution, including software or hardware components that are marketed separately. The Regulation applies to all products that are directly or indirectly connected to another device or network. This could be industrial control systems, smart watches, baby monitors, smart appliances (internet of things), video games, laptops or mobile phones, or even smart cards. Products placed on the European market will have to comply with the cybersecurity requirements set out in the Regulation at all stages of their life cycle.
The regulation does not apply to products covered by the rules of another regulation (e.g. medical devices or cars ).
Important and critical products
The Regulation distinguishes two special categories – important products with digital elements and critical products with digital elements. It then imposes stricter requirements on these in the conformity assessment process. Among the critical digital products, the Regulation includes, for example, password managers, operating systems, general virtual assistants for smart homes, etc. Critical products according to the Regulation are e.g. Hardware devices with safety deposit boxes or smart cards or similar devices.
Obligations of manufacturers
The Regulation sets out obligations in particular for manufacturers of products with digital elements. These duties will include, for example:
- consider cybersecurity in product planning, design, development, manufacturing, delivery and maintenance
- document all product cyber security risks
- carry out a conformity assessment
- exercise due diligence when incorporating components from third parties and ensure that these components do not compromise product safety
- inform users – attach clear and understandable information and instructions to the product, inform about incidents, related corrective actions or termination
- ensure automatic installation of security updates during the so-called support period (which corresponds to the expected duration of the product’s use)
- report actively exploited vulnerabilities and incidents related to the product
- and others
The Cyber Resilience Act will become fully applicable by the end of 2027.
If you would like more information in this regard, please do not hesitate to contact us.
This article is for informational purposes only and does not constitute legal advice or guidance for any particular case.