EU Adopts Cyber Resilience Act to Regulate Internet of Things

The Council of the European Union adopted the Cyber Resilience Act earlier this month, a new law that will ensure that connected devices – including consumer products, such as smart doorbells, televisions, and toys, as well as commercial devices, such as IP cameras – meet new cybersecurity requirements before going to market. 

The regulations establish an EU-wide framework that encompasses design, development, production, and the sale of hardware and software products that connect either directly or indirectly to another device or network. 

The law enhances existing cybersecurity legislation, making regulations more coherent and ensuring that Internet of Things (IoT) products are secure, from supply chain to end of life.

CRA is designed to allow consumers to make informed decisions when shopping for connected digital products by making it easier for them to identify hardware and software with proper cybersecurity features. New products will be labeled with "CE" to signify that they meet the requirements. Products that are already regulated by existing EU rules, like medical devices, aeronautical products, and cars, are exempt from the new regulations.

In the coming weeks the legislative act will be signed by the presidents of the council and European Parliament and be published in the EU's official journal. The regulation will enter into force 20 days after publication and apply three years later, in 2027, although some provisions will apply at earlier stages.