EU: Cyber Resilience Act is coming
The draft of the Cyber Resilience Act (CRA) aims to create a standard with cyber security requirements for products with “digital elements”. This includes products such as smartphones, IoT sensors, cameras, but also software over the entire life cycle that is directly or indirectly connected to another device or a network. After deliberation in Parliament and the Council, the revision and publication will take place. The implementation obligation is currently two years, so there will be some time before this regulation takes effect.
Cyber security will now become the principle of “cybersecurity by design” when developing products. Manufacturers shall provide support and software updates to address vulnerabilities and shall adequately inform consumers about product cybersecurity.
Executive Vice-President for a Europe Fit for the Digital Age Vestager: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
A bit late, but a sensible EU regulation for once. Only the implementation or the testing of the implementation I see as difficult. For example, the annex lists in detail all possible product categories that fall within the scope of this law; thus, all new products are “left out” ;-). This also applies to the prescribed measures, which may well change in their usefulness over time. The possible “penalties” for non-compliance are rather homeopathic for international companies.
I praise the German product liability law for that. Just sell “properly” functioning products and it doesn’t need 100 pages of regulation and explanation. A suggestion for addition: “If, as a result of the defect of a product, someone is killed, his body (complement: his/her personality) or his health is injured, or an object is damaged (complement: or a criminal act is induced, or the product is not available with the agreed performance), the manufacturer of the product is obliged to compensate the injured party for the resulting damage.”
