By 2030, it is estimated that there will be over 29 billion connected devices worldwide (source: Statista). Inevitably, these devices will need to be as secure as possible to avoid becoming targets of cybercrime. Through the Cyber Resilience Act, the European Commission aims to protect European citizens from cyber threats .

Introduced in September 2022, the new regulation proposal is set to become a reality, establishing new and higher standards standards for the cybersecurity of IoT devices entering the European market and their associated services, as well as imposing stricter obligations on their manufacturers.

Cyber Resilience Act: where did it come from?

The need for legislative action on IoT device security stems from the realization that the market is growing. The interconnection between more and more IoT devices will increase the flow of data exchanged, which are also processed by organizations other than those operating within the European Union. Among the consequences of this arrangement is increased costs to combat cybercrime.

With the measure, the European Commission has set four goals:

• create a common European framework for cybersecurity governance;
• ensure that manufacturers, starting from design and throughout the lifecycle, work to improve the protection of devices and services;
• increase transparency of cybersecurity practices and technical properties of products and services;
• provide consumers and businesses with secure products from the first use.

The Cyber Resilience Act thus requires manufacturers to manage the issue of information security and technical vulnerabilities of devices by applying the principle of “privacy-by-design” to production processes.

The same measure defines products with digital elements, referring to any type of software or hardware product and related remote data processing solutions, including elements related to such products (even if they are brought to market separately). The definition is generic and is specified by the annexes to the text of the law. It should be pointed out that the Cyber Resilience Act also involves importers of digital products obliging them to disseminate elements on the market that meet the essential requirements to avert vulnerability risks.

What producers are required to do

Manufacturers are required to verify and declare that products with digital elements have an EU mark of conformity (provided for in Article 20 of the Cyber Resilience Act); for distributors, on the other hand, there is only the burden of placing on the market only products that are found to be compliant with the regulations.

The measure also extends these obligations to substantial changes that occur over time (upgrades, software repairs, physical maintenance), establishing an assessment of whether these changes affect the product’s compliance with the standards.