European Union: Reached Council and the Parliament provisional agreement on the Cyber Resilience Act including cybersecurity requirements for products with digital elements

On 30 November 2023, the Council of the European Union and the European Parliament reached a common provisional agreement on the proposed regulation regarding Cybersecurity Requirements for Products With Digital Elements (Cyber Resilience Act), which aims to establish mandatory cybersecurity requirements for products with digital components, such as connected home cameras, smart fridges, TVs, and toys. The Act outlines safety requirements that have to be met by products before they enter the market. The proposed Act will apply to all products connected to other devices or networks, except for those already covered by existing EU rules on cybersecurity, such as medical devices, aviation, or cars. Under the reached agreement, the rules holding manufacturers responsible for compliance with security requirements, vulnerability handling processes, transparency for consumers and business users, and market surveillance are clarified. In addition, the reached agreement includes amendments regarding the scope of the legislation, reporting obligations, determination of product lifetime, support for small and micro enterprises, and a simplified declaration of conformity. The provisional agreement has to be formally adopted by the Council of the European Union and the Parliament and will be implemented 3 years after its entry into force.