New EU Cyber Resilience Act Strengthens Digital Security

New EU Cyber Resilience Act Strengthens Digital Security

2025-01-17 data

Brussels, Friday, 17 January 2025.
The Cyber Resilience Act mandates cybersecurity standards for digital products, enhancing EU-wide protection and transparency to empower safer consumer choices by 2027.

Groundbreaking Legislation Takes Effect

The European Union’s Cyber Resilience Act (CRA) entered into force on December 10, 2024 [5], marking the world’s first comprehensive legislation aimed at ensuring cybersecurity for products with digital components [5]. The act introduces mandatory cybersecurity requirements for all products with digital elements (PDEs) in the EU market [3], addressing a critical gap in the previous fragmented regulatory landscape [5].

Scope and Implementation Timeline

The legislation affects a vast digital ecosystem, with over 20 billion connected devices currently in use across the EU, projected to reach 30 billion by 2030 [6]. The EU market for connected digital products is expected to grow from €120 billion in 2024 to between €250 billion and €300 billion by 2030 [6]. Manufacturers and businesses have until December 11, 2027, to fully comply with the new requirements [1]. The act will particularly impact products such as smart home devices, IoT systems, and cloud services [4], though certain sectors including medical devices, military hardware, and motor vehicles are exempt due to existing specialized regulations [4].

Enforcement and Compliance Measures

The CRA introduces stringent penalties for non-compliance, with fines reaching up to €15 million or 2.5% of global annual turnover [3][6]. Manufacturers must ensure cybersecurity by design, implement vulnerability management processes, and provide security updates throughout a product’s lifecycle [5]. Companies are required to report security incidents to ENISA within 24 hours of discovery and complete full reporting within 72 hours [3]. Products meeting these requirements will bear the CE marking to indicate compliance [1].

Integration with Broader EU Cybersecurity Framework

The CRA works in conjunction with the NIS2 Directive, which entered into force in January 2023 [2]. However, as of January 17, 2025, the European Commission has issued formal notices to 23 Member States for failing to transpose NIS2 by the October 2024 deadline [2], highlighting the ongoing challenges in implementing comprehensive cybersecurity measures. The framework is further strengthened by the upcoming Cyber Solidarity Act, set to take effect on February 4, 2025 [7], which will establish a European Cybersecurity Alert System and create an EU Cybersecurity Reserve for incident response.

Bronnen

• digital-strategy.ec.europa.eu
• digital-strategy.ec.europa.eu
• www.upguard.com
• mender.io
• www.aoshearman.com
• www.onekey.com
• www.isc2.org

cybersecurity resilience