The EU Cyber Resilience Act is a proposed regulation aimed at establishing common cybersecurity standards for products with digital elements across the European Union. However, it is important to note that this act is not yet in force. The legislative process is still ongoing, and as of now, the proposal is at the first reading stage in the European Parliament. This means that while the act has been introduced and is under consideration, it has not yet been adopted or implemented into law.

Structure and Key Sections

1. Objectives and Scope: The regulation aims to ensure that all products with digital elements placed on the EU market meet essential cybersecurity requirements throughout their lifecycle. This includes the entire process from design and development to post-market activities, such as updates and vulnerabilityVulnerability Means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) management.
2. Cybersecurity Requirements: Manufacturers are required to integrate cybersecurity into the product design phase and ensure that products are secure by default and by design. This section outlines the obligations for manufacturers, importers, and distributors to ensure the cybersecurity of their products, including timely updates and vulnerability handling.
3. Market Surveillance and Enforcement: The proposal establishes a framework for market surveillance and enforcement, ensuring that non-compliant products are identified and addressed. National authorities are given the power to take corrective measures, including fines and product recalls, to enforce compliance with the act.
4. Harmonized Standards: The act promotes the development and use of harmonized standards to facilitate compliance with the cybersecurity requirements. These standards are intended to provide clear guidance to manufacturers on how to meet the regulatory obligations and ensure a level playing field across the EU.
5. Information Obligations: The regulation mandates that manufacturers provide clear and comprehensive information to users about the cybersecurity features of their products. This includes instructions for secure configuration and use, as well as details on the expected product lifespan in terms of cybersecurity support.
6. International Impact and Cooperation: The Cyber Resilience Act is designed to set a global benchmark for product cybersecurity, influencing standards beyond the EU. It emphasizes the EU’s role in leading global cybersecurity efforts by establishing rigorous standards that can serve as a model for other regions.

The Cyber Resilience Act is poised to become a key regulation in the EU’s digital strategy, addressing the growing cybersecurity challenges posed by the increasing proliferation of connected devices. The regulation is expected to enhance trust in digital products, reduce the number of cybersecurity incidents, and position the EU as a global leader in cybersecurity standards.