The Cyber Resilience Act, the EU's upcoming legislation to boost the security of digital products, is now only one step away from being officially adopted.
After days of debate within EU institutions, the European Parliament and the EU Council reached a political agreement on the legislation on December 3.
First proposed by the EU Commission in September 2022, the CRA aims to introduce security requirements for connected device manufacturers within the Union.
One key requirement included in CRA is the mandate for manufacturers of internet of things devices and other connected objects to report serious cyber incidents and actively exploited vulnerabilities that have not been patched yet.
This is the first time such a requirement is being imposed by a transversal, sector-agnostic law.
Manufacturers will have to conduct a risk assessment to inform which security requirements apply to their product.
They will have to provide support for at least five years unless the product has a shorter expected lifetime.
Any security update provided during that support period should remain available for either 10 years or the remainder of the support period - whichever is longer.
Manufacturers will be able to self-assess their compliance with the security requirements mentioned in the text.
The agreement is now subject to formal approval by the European Parliament and the Council.
Once adopted, CRA will enter into force on the 20th day following its publication in the EU's Official Journal.
Organizations affected by the CRA will then have 36 months to adapt to the new requirements, except for a more limited 21-month grace period related to the reporting obligation of manufacturers for incidents and vulnerabilities.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 04 Dec 2023 13:01:10 +0000