EU Council Adopts Cybersecurity Law
The Council has adopted a new law on cybersecurity requirements for digital products, known as the Cyber Resilience Act. This regulation aims to ensure that products like connected home cameras, fridges, TVs, and toys are secure before entering the market. By introducing EU-wide requirements, the law seeks to harmonize the cybersecurity framework across member states, addressing gaps and overlaps in existing legislation. The regulation mandates that hardware and software products display the CE marking, indicating compliance with safety and security standards.
This new regulation applies to all products connected to a device or network, with exceptions for those already governed by existing EU rules, such as medical devices and cars. It empowers consumers to prioritize cybersecurity when choosing digital products, simplifying the process of identifying secure hardware and software. The regulation is designed to enhance security throughout the product lifecycle and supply chain.
Following its adoption, the legislative act will be signed by the presidents of the Council and the European Parliament, with publication in the EU’s official journal expected soon. It will take effect 20 days post-publication, with full application 36 months later, although some provisions will be implemented earlier. This development follows the proposal by the European Commission in September 2022 and subsequent negotiations, culminating in a provisional agreement in November 2023.
The Cyber Resilience Act complements existing EU cybersecurity measures, such as the NIS and NIS 2 directives and the EU cybersecurity act. Announced by Commission President von der Leyen in 2021, the act is a crucial step in strengthening the EU’s cyber posture, ensuring digital products are secure and trustworthy for consumers across the European Economic Area.