Digital Policy Alert logo

European Union: Adopted Cyber Resilience Act by the Council of the EU including cybersecurity requirements for products with digital elements

Policy overview

Description

Adopted Cyber Resilience Act by the Council of the EU including cybersecurity requirements for products with digital elements

On 10 October 2024, the Council of the EU adopted the regulation on Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act), which aims to establish mandatory cybersecurity requirements for products with digital components, such as connected home cameras, smart fridges, TVs, and toys. The Act outlines safety requirements that products have to meet before they enter the market. The Act will apply to all products connected to other devices or networks, except for those already covered by existing EU rules on cybersecurity, such as medical devices, aviation, or cars. Furthermore, the Act includes measures holding manufacturers responsible for compliance with security requirements, vulnerability handling processes, transparency for consumers and business users, and market surveillance. In addition, the Act includes amendments regarding the scope of the legislation, reporting obligations, determination of product lifetime, support for small and micro enterprises, and a simplified declaration of conformity. The Act will enter into force after twenty days following its publication and will enter into force after 36 months.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
supranational
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2022-03-16
in consultation

On 16 March 2022, the European Commission launched a public consultation for the Cyber Resilience A…

2022-05-25
processing consultation

On 25 May 2022, the European Commission closed the public consultation for the Cyber Resilience Act…

2022-09-15
under deliberation

On 15 September 2022, the European Commission introduced a proposal for the "Cyber Resilience Act" …

2023-07-19
under deliberation

On 19 July 2023, the Council of the European Union reached a common position on the proposed Cybers…

2023-11-30
under deliberation

On 30 November 2023, the Council of the European Union and the European Parliament reached a common…

2024-03-12
under deliberation

On 12 March 2024, the European Parliament adopted the text provisionally agreed on the regulation r…

2024-10-10
adopted

On 10 October 2024, the Council of the EU adopted the regulation on Cybersecurity Requirements for …

2024-12-10
in grace period

On 10 December 2024, the Cyber Resilience Act entered into force with a grace period. The Cyber Res…

2026-06-11
in force

On 11 June 2026, Regulation 2024/2847 on horizontal cybersecurity requirements for products with di…

2026-09-11
in force

On 11 September 2026, Regulation 2024/2847 concerning horizontal cybersecurity requirements for pro…

2027-12-11
in force

On 11 December 2027, Regulation 2024/2847 on horizontal cybersecurity requirements for products wit…