Rules aimed at enhancing the security of connected devices have officially gone into effect across the European Union.
The Cyber Resilience Act (CRA) imposes obligations on manufacturers to ensure consumer security, such as by updating software to address vulnerabilities.
Although compliance with the CRA’s main provisions isn’t required until December 11, 2027—granting device makers time to adapt—the law was proposed over two years ago with the goal of strengthening security for connected products like smartwatches, internet-connected toys, and home appliances controlled via apps.
The rise in connected devices has sparked concerns about increased hacking risks, with frequent reports of compromised baby monitors and children’s toys raising alarms about manufacturers prioritizing profits over consumer safety. The E.U. law establishes mandatory cybersecurity requirements that apply throughout a product’s lifecycle, from design to development and operation. Distributors and retailers are also tasked with ensuring the products they supply comply with the E.U.’s rules.
The CRA covers a wide range of connected devices—products that either directly or indirectly connect to networks—though there are exceptions for items already regulated under other E.U. rules, such as medical devices, cars, and certain open-source software.
Products meeting the CRA’s requirements may display the E.U.’s CE mark, signaling compliance. This should make it easier for consumers to identify secure products simply by looking for the CE marking.
The bloc aims to shift responsibility for cybersecurity onto manufacturers, who must ensure their digital products meet legal standards to access the E.U. market. Non-compliance with the CRA could result in penalties enforced by Member State oversight bodies. The law stipulates fines of up to 2.5% of global annual turnover (or up to €15 million, whichever is greater) for breaches of essential cybersecurity requirements. Non-compliance with other requirements may incur fines of up to 2% (€10 million), while failing to respond to regulatory requests can lead to fines of 1% (€5 million).