New European Law on Cybersecurity of Digital Products

The European Union’s Cyber Resilience Act entered into force in December. The Act aims to establish horizontal cybersecurity requirements for products with digital elements to ensure they are placed on the market with fewer vulnerabilities, and that manufacturers take security seriously throughout a product’s lifecycle. This regulation intends to improve transparency regarding product support periods, enabling users to consider cybersecurity when selecting and using digital products. The regulation applies to products with a direct or indirect logical or physical data connection to a device or network but excludes certain products, such as those for national security or defense purposes.

The regulation mandates that manufacturers ensure their products comply with essential cybersecurity requirements throughout the product’s lifecycle, including the design, development, and production phases. Manufacturers are also obligated to implement effective vulnerability handling processes during the support period of the product. This includes providing a single point of contact for users to report vulnerabilities. Manufacturers must also provide clear instructions to users for the secure installation, operation, and use of their products, and provide an EU declaration of conformity. The technical documentation must include an assessment of cybersecurity risks and a description of how the essential cybersecurity requirements are applicable.

Market surveillance authorities are designated to ensure the effective implementation of this regulation. They can take measures to restrict or prohibit products that pose significant cybersecurity risks and can enforce penalties for non-compliance. The regulation also establishes a single reporting platform for manufacturers to notify actively exploited vulnerabilities and severe incidents. The information is shared with relevant Computer Security Incident Response Teams (CSIRTs) and may be delayed in exceptional circumstances for cybersecurity reasons. The regulation also encourages Member States to provide single entry points for various reporting requirements under Union law.

The regulation sets out a framework for conformity assessment and encourages the use of harmonized standards and European cybersecurity certification schemes to demonstrate compliance. It also provides support for micro, small, and medium-sized enterprises, including simplified documentation formats and financial support options. The European Union Agency for Cybersecurity (ENISA) is given tasks to support implementation. The regulation will apply from December 2027, with specific provisions for reporting obligations starting earlier.