EU Adopts CRA: Enhanced Security for Smart Devices, But Concerns Remain

The EU Council has adopted the Cyber Resilience Act (CRA), establishing cybersecurity requirements for products with digital elements. The objective of this legislation is to ensure that connected cameras, refrigerators, televisions, and toys enter the market with an adequate level of security.

The new act aims to address existing gaps and make cybersecurity legislation more coherent, ensuring the protection of products with digital components throughout their entire lifecycle.

The law introduces EU-wide cybersecurity requirements at all stages of development, manufacturing, and marketing for both hardware and software products. This will help avoid conflicts between various legislative acts in EU member states. Notably, both hardware and software will bear the CE mark, indicating compliance with high standards of safety, health, and environmental protection.

The new regulations will apply to all products connected to another device or network, except for those where cybersecurity requirements are already established, such as medical devices, automobiles, and aeronautical equipment. The adopted law will also simplify consumer decision-making by allowing them to consider the cybersecurity level of products with digital elements.

The law will come into effect 20 days after its publication in the EU Official Journal, and its provisions will begin to apply 36 months later, with some requirements being enforced earlier.

Despite efforts to enhance security, the CRA may also pose challenges for open-source software developers and increase the risk of vulnerabilities being exposed. Many organizations and individuals have already expressed concerns about the CRA. Furthermore, leading cybersecurity experts have warned of the potential misuse of the CRA for surveillance or intelligence purposes.