Building Trust in Digitalization: The Cyber Resilience Act Is Coming
Last December, all parties agreed on the final version of the Cyber Resilience Act (CRA). The new regulation for digital products has now received final approval from the EU Council and will enter into force 20 days after its publication in the Official Journal of the EU.
After a three-year transition period, manufacturers will be required to ensure an appropriate level of cybersecurity for at least five years for any new products they bring to market. Products that meet these requirements will carry the CE mark as proof of their security. Claudia Plattner, President of the German Federal Office for Information Security (BSI), sees this as an opportunity to strengthen public trust in digitalization. She highlights the benefits not only for users but also for manufacturers, who can offer higher quality through improved cybersecurity in the long term.
EU Emphasizes Manufacturer Responsibility
The Cyber Resilience Act applies to both products with digital components—such as smart household devices or toys with digital features—and fully digital products like video games and other software. Developers of non-commercial open-source software are explicitly excluded from the regulation, which initially sparked criticism. However, experts welcome the fact that the new law allows room for manufacturers to take responsibility—something that is also expected of open-source providers. While they are not legally required to ensure cybersecurity, it should still be a goal for all providers under the principle of self-responsibility.
We Support Our Clients in Implementing CRA Requirements Today
Given the extensive requirements, companies should prepare for the CRA in good time. We are already assisting our clients in aligning with the new regulation. Feel free to contact us.