By 2030, it is estimated that there will be over 29 billion connected devices worldwide (source: Statista). Inevitably, these devices will need to be as secure as possible to avoid becoming targets of cybercrime. Through the Cyber Resilience Act, the European Commission aims to protect European citizens from cyber threats .
Introduced in September 2022, the new regulation proposal is set to become a reality, establishing new and higher standards standards for the cybersecurity of IoT devices entering the European market and their associated services, as well as imposing stricter obligations on their manufacturers.
The Act represents one of the most ambitious attempts to regulate the digital ecosystem at a European level, aligning with the broader EU Digital Strategy and complementing other regulations such as the GDPR and the NIS2 Directive.
Cyber Resilience Act: Where Did It Come From?
The need for legislative action on IoT device security stems from the realization that the market is growing. The interconnection between more and more IoT devices will increase the flow of data exchanged, which are also processed by organizations other than those operating within the European Union. Among the consequences of this arrangement is increased costs to combat cybercrime.
It is estimated that cybercrime already costs the global economy trillions of euros each year, and insecure connected devices are often considered an “easy entry point” for attackers
With the measure, the European Commission has set four goals:
- create a common European framework for cybersecurity governance;
- ensure that manufacturers, starting from design and throughout the lifecycle, work to improve the protection of devices and services;
- increase transparency of cybersecurity practices and technical properties of products and services;
- provide consumers and businesses with secure products from the first use.
These objectives highlight a clear shift in responsibility: security is no longer only the end-user’s concern but becomes an obligation embedded in the production and distribution chain.
The Cyber Resilience Act thus requires manufacturers to manage the issue of information security and technical vulnerabilities of devices by applying the principle of “privacy-by-design” to production processes.
In practice, this means that every connected device placed on the EU market will need to respect minimum standards of robustness, patchability, and resistance to known attack techniques. The same measure defines products with digital elements, referring to any type of software or hardware product and related remote data processing solutions, including elements related to such products (even if they are brought to market separately). The definition is generic and is specified by the annexes to the text of the law. It should be pointed out that the Cyber Resilience Act also involves importers of digital products obliging them to disseminate elements on the market that meet the essential requirements to avert vulnerability risks.
In this sense, the regulation also acts as a filter at the borders of the European market, preventing insecure products developed elsewhere from undermining European digital security.
Cyber Resilience Act: A Guide for Procedures
Manufacturers are required to verify and declare that products with digital elements have an EU mark of conformity (provided for in Article 20 of the Cyber Resilience Act); for distributors, on the other hand, there is only the burden of placing on the market only products that are found to be compliant with the regulations.
The measure also extends these obligations to substantial changes that occur over time (upgrades, software repairs, physical maintenance), establishing an assessment of whether these changes affect the product’s compliance with the standards.
The Cyber Resilience Act is not only a technical regulation but a cultural step forward: it pushes the entire digital supply chain toward accountability, resilience, and transparency, shaping a safer digital future for Europe.
