Blog details

EU Institutions Finalize Agreement on the Cyber Resilience Act for Connected Products

EU Institutions Finalize Agreement on the Cyber Resilience Act for Connected Products

The EU institutions have reached a final agreement on the Cyber Resilience Act specifically designed to address the growing concerns about security risks associated with connected products.


In a significant move towards strengthening cybersecurity in Europe, the EU institutions have reached a historic agreement on a new cybersecurity law for connected products. The legislation aims to address the growing concerns surrounding the security and privacy of internet-connected devices, commonly referred to as the Internet of Things (IoT). This groundbreaking development marks a major step in safeguarding European citizens, businesses, and critical infrastructure from cyber threats. By placing obligations on manufacturers and enhancing security measures across various sectors, Europe takes a significant step towards safeguarding its citizens and critical infrastructure from potential cyberattacks. 


The EU Cybersecurity Act enforces strict standards for connected products’ cybersecurity, ensuring prompt disclosure of vulnerabilities and incidents by manufacturers, distributors, and vendors.


The need to regulate cybersecurity in connected products emerged as the proliferation of IoT devices continued at an unprecedented pace. The EU recognized the potential risks associated with these devices, ranging from data breaches and privacy violations to cyberattacks on critical infrastructure. To address these concerns, the European Commission proposed the Cybersecurity Act in 2017, which was eventually adopted after extensive negotiations between the EU institutions. The new Cyber Resilience Act applies to a broad range of connected products, including smart home devices, wearable technology, connected cars, and industrial machinery. It introduces a comprehensive framework that imposes certain obligations on manufacturers, importers, distributors, and vendors of these products. They will be required to adhere to strict cybersecurity standards, perform risk assessments, implement security measures, and disclose any vulnerabilities or incidents promptly.


The law will require manufacturers to obtain certifications for their products, enhancing consumer trust and promoting secure goods across Member States.


To ensure compliance with the Cyber Resilience Act, the European Union Agency for Cybersecurity (ENISA) will play a central role in establishing a framework for certification. Manufacturers will need to obtain certifications for their products, signifying their adherence to the specified cybersecurity requirements. Such certifications will enhance consumer trust and facilitate the free flow of secure goods across EU member states. The implementation of this Cyber Resilience Act will have substantial implications for both businesses and consumers. Manufacturers will need to adopt a security-by-design approach, prioritizing cybersecurity at every stage of their product development lifecycle. Consumers can have greater confidence when purchasing connected products, knowing that they have undergone rigorous cybersecurity assessments. Ultimately, this will create a more secure and trustworthy IoT ecosystem within the EU.


The Cyber Resilience Act also strengthens security for critical sectors, prioritizing incident reporting and product security updates.


Recognizing the particular vulnerabilities of critical sectors, including energy, transportation, and healthcare, the Cyber Resilience Act prescribes additional security measures. This aims to protect essential services and infrastructure from potential cyber threats, ultimately ensuring the uninterrupted functioning of critical services vital to European citizens’ well-being and prosperity. The law also highlights the significance of prompt incident reporting by manufacturers or service providers in the event of any cybersecurity breaches or vulnerabilities. This is crucial for rapid response and remediation actions. Additionally, manufacturers will be mandated to supply regular security updates to connected products, ensuring software vulnerabilities are patched promptly, minimizing the risk of exploitation.


The new legislation emphasizes international collaboration for secure connected products, promoting cooperation between the EU, other countries, and organizations.


The new legislation emphasizes the importance of international collaboration in ensuring the security of connected products. Cooperation between the EU and other countries, international organizations, and standardization bodies will be crucial in developing globally accepted cybersecurity standards. Furthermore, provisions have been made to facilitate information sharing among EU member states, enabling the rapid dissemination of cybersecurity threats, incidents, and best practices.With the finalization of the Cyber Resilience Act for connected products, the EU demonstrates its commitment to ensuring robust cybersecurity measures against the threats posed by the rapid expansion of the IoT. This landmark legislation not only strengthens cybersecurity within the EU but also paves the way for global collaboration and the establishment of common cybersecurity standards.

At Aphaia, we commit to being the partner guiding you through a comprehensive journey of ensuring compliance, and providing peace of mind in an ever-evolving digital landscape. Take that first step today, and let’s build a secure future for your organization together. Contact Aphaia today to find out more.

Prev post
Developing the EU AI Act: EU lawmakers discuss revised governance structure
November 30, 2023
Next post
EDPB publishes urgent binding decision regarding Meta
December 14, 2023