Political agreement reached on EU Cyber Resilience Act

December 5, 2023

The European Commission has welcomed the political agreement between the European Parliament and the Council on the Cyber Resilience Act, which was originally proposed by the Commission in September 2022.

The Cyber Resilience Act (which is an EU Regulation) aims to improve the level of cybersecurity of digital products by introducing proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers. Products with different levels of risk associated will have different security requirements.

It aims for all products out on the EU market to be cyber-secure to deal with the growing threat from cyber criminals and other malicious individuals and organisations.

Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Act’s requirements and therefore can be sold in the EU.

The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates during several years after the purchase. This period must reflect the time products are expected to be used.

Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.

The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.

Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, except for a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.

The UK’s consumer connectable product security regime will come into effect on 29 April 2024. Businesses involved in the supply chains of these products will need to comply with this legislative framework from that date.