The Cyber Resilience Act Explained: A Roadmap for IoT Manufacturers

Yesterday, in a landmark move to boost digital security, the European Council has officially adopted the Cyber Resilience Act. This legislation sets new cybersecurity standards for a wide range of digital products, from smart home devices to connected toys. By establishing comprehensive requirements that span the entire lifecycle of these products, the Act aims to close existing security gaps and create a more unified, robust framework for IoT device safety. These requirements are been implemented to ensure that IoT devices are designed with security as a fundamental principle, not an afterthought.

Looking to implement security into your connected device?
Get started today.

As manufacturers prepare for this new era of enhanced digital security, understanding the implications of this act becomes important for anyone involved in the development, distribution, or use of connected devices. This approach ensures cybersecurity is embedded throughout a product's lifecycle, from design to market availability, significantly enhancing digital safety for EU consumers and businesses.

What the Cyber Resilience Act means for manufacturers:

The new act outlines that products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on risks. Products should:

1. Be free from known exploitable vulnerabilities when placed on the market.
2. Have a secure by default configuration.
3. Ensure vulnerabilities can be addressed through security updates, including automatic updates.
4. Protect against unauthorized access with appropriate control mechanisms.
5. Protect the confidentiality of stored, transmitted, or processed data.
6. Protect the integrity of data against unauthorized manipulation or modification.
7. Process only data that is necessary for the intended purpose (data minimization).
8. Protect the availability of essential functions, including after incidents.
9. Minimize negative impacts on the availability of services provided by other devices or networks.
10. Be designed to limit attack surfaces, including external interfaces.
11. Reduce the impact of incidents using appropriate mitigation mechanisms.
12. Provide security-related information by recording and monitoring relevant internal activity.
13. Allow users to securely remove data and settings, and transfer data to other products or systems securely.

The above is a summary of the Essential Cybersecurity Requirements (Annex I), page 230.

Failure to abide by these requirements could result in administrative fines of up to €15,000,000, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.