The European Union's Cyber Resilience Act (CRA) has officially taken effect, introducing a new era of enhanced security for connected devices across the region. The legislation, proposed over two years ago, aims to address growing concerns over hacking risks associated with the proliferation of internet-connected devices, such as smartwatches, toys, and home appliances.

The CRA places obligations on product manufacturers to provide security support to consumers, including updating software to fix security vulnerabilities. Although the deadline for compliance with the main obligations of the law is still three years out, December 11, 2027, device makers are expected to begin preparing for the changes. The law's implementation is a response to rising concerns that profits were being prioritized over consumer security, with frequent headlines about hacked baby monitors and kids' toys.

The pan-EU law imposes mandatory cybersecurity requirements on products with digital elements, applicable throughout their lifecycles, from design and development to operation. Distributors and retailers are also responsible for ensuring that the products they supply or stock comply with the EU's rules. The CRA applies broadly to connected devices, including those that connect directly or indirectly to another device or network, with exceptions for products already covered by other existing EU rules, such as medical devices, cars, and certain open-source software.

Devices that meet the CRA's standards can display the EU's CE mark, indicating to consumers that they are purchasing a more secure product. This move is expected to "rebalance responsibility" for cybersecurity towards manufacturers, who must ensure their products meet the legal standards to access the EU market.

Penalties for failing to meet the CRA's standards will be enforced by Member State-level oversight bodies, responsible for compliance checks. Breaches of "essential cybersecurity requirements" can result in fines of up to 2.5% of global annual turnover (or up to €15 million if greater). Breaches of other requirements risk fines of 2% (up to €10 million), while failure to respond properly to regulatory requests can result in fines of 1% (or €5 million).

The implementation of the CRA marks a significant step forward in enhancing the security of connected devices in the EU. As the region continues to grapple with the challenges of IoT security, this legislation is expected to have a profound impact on the industry, driving manufacturers to prioritize consumer security and promoting a safer, more secure environment for users.

With the CRA now in effect, industry stakeholders will be watching closely to see how manufacturers adapt to the new requirements and how enforcement bodies implement the regulations. As the EU continues to lead the way in IoT security, the global implications of this legislation are likely to be far-reaching, shaping the future of connected devices and cybersecurity for years to come.