Skip to content

Cyber Resilience Act: a necessary measure for the security of IoT deviced

cyber resilience act

By 2030, it is estimated that there will be over 29 billion connected devices worldwide (source: Statista). Inevitably, these devices will need to be as secure as possible to avoid becoming targets of cybercrime. Through the Cyber Resilience Act, the European Commission aims to protect European citizens from cyber threats .

Introduced in September 2022, the new regulation proposal is set to become a reality, establishing new and higher standards standards for the cybersecurity of IoT devices entering the European market and their associated services, as well as imposing stricter obligations on their manufacturers.

Cyber Resilience Act: where did it come from?

The need for legislative action on IoT device security stems from the realization that the market is growing. The interconnection between more and more IoT devices will increase the flow of data exchanged, which are also processed by organizations other than those operating within the European Union. Among the consequences of this arrangement is increased costs to combat cybercrime.

With the measure, the European Commission has set four goals:

  • create a common European framework for cybersecurity governance;
  • ensure that manufacturers, starting from design and throughout the lifecycle, work to improve the protection of devices and services;
  • increase transparency of cybersecurity practices and technical properties of products and services;
  • provide consumers and businesses with secure products from the first use.

The Cyber Resilience Act thus requires manufacturers to manage the issue of information security and technical vulnerabilities of devices by applying the principle of “privacy-by-design” to production processes.

The same measure defines products with digital elements, referring to any type of software or hardware product and related remote data processing solutions, including elements related to such products (even if they are brought to market separately). The definition is generic and is specified by the annexes to the text of the law. It should be pointed out that the Cyber Resilience Act also involves importers of digital products obliging them to disseminate elements on the market that meet the essential requirements to avert vulnerability risks.

What producers are required to do

Manufacturers are required to verify and declare that products with digital elements have an EU mark of conformity (provided for in Article 20 of the Cyber Resilience Act); for distributors, on the other hand, there is only the burden of placing on the market only products that are found to be compliant with the regulations.

The measure also extends these obligations to substantial changes that occur over time (upgrades, software repairs, physical maintenance), establishing an assessment of whether these changes affect the product’s compliance with the standards.

Related post

cybersecurity energy utilities

As the world moves toward greater reliance on renewable energy, Italy is setting an example. In 2024, for the first time, solar and wind power supplied 43.8% of the country's…

4 minutes
ai in security operations

HWG Sababa, a leader in the cybersecurity sector is excited to announce the launch of the House of Innovation, a team that unites and strengthens the innovative capabilities that have…

cybersecurity nel settore manifatturiero

The manufacturing sector is increasingly under threat from cyberattacks, with attackers targeting OT environments, industrial control systems, and supply chains. In fact, manufacturing was the most targeted sector globally in…

4 minutes
Back To Top