EU Adopts Cyber Resilience Act to Regulate Internet of Things

The Council of the European Union adopted the Cyber Resilience Act earlier this month, a new law that will ensure that connected devices – including consumer products such as smart doorbells, televisions and toys, as well as commercial devices such as IP cameras – meet new cybersecurity requirements before going to market. 

The new regulations establish an EU-wide framework that encompasses design, development, production and the sale of hardware and software products that connect either directly or indirectly to another device or network. 

The law enhances existing cybersecurity legislation, making regulations more coherent and ensuring that “Internet of Things” (IoT) products are secure from supply chain to end-of-life. It applies to all products connected either directly or indirectly to another device or network.

CRA is designed to allow consumers to make informed decisions when shopping for connected digital products by making it easier for them to identify hardware and software with proper cybersecurity features. New products will be labeled with “CE” to signify they meet the requirements. Products that are already regulated by existing EU rules like medical devices, aeronautical products and cars are exempt from the new regulations.

In the coming weeks the legislative act will be signed by the presidents of the Council and of the European Parliament and be published in the EU’s official journal. The regulation will enter into force 20 days after publication and apply 3 years later, in 2027, although some provisions will apply at earlier stages.