Mon. Jan 20th, 2025
cyber security, hacker, security
The EU continues to improve its cybersecurity framework. Photo by Tumisu on Pixabay

Brussels, 30 December 2024

The Cyber Resilience Act, a landmark piece of legislation, entered into force. This marks a major leap forward in the EU’s efforts to protect its citizens and businesses from cyber threats.

The Cyber Resilience Act (CRA) is the first-ever EU legislation placing mandatory cybersecurity requirements for products that include digital elements.

The Act introduces greater responsibilities on manufacturers to guarantee the security of hardware and software products. Central to the Act are new obligations for manufacturers to provide software updates that fix security vulnerabilities and offer security support to consumers. By enhancing transparency on cyber risks and product security, the Act empowers consumers to make more informed choices about products available on the EU market.

Products will bear the CE marking to indicate that they comply with the regulation’s requirements. The main obligations of the Act will apply from 11 December 2027.

Henna Virkkunen, European Commission Executive Vice-President, said: “We are committed to making Europe a safe and secure place for our citizens and businesses to operate. This new regulation is a major step forward in ensuring digital products in the EU do not pose cyber risks to EU consumers.”

The Cyber Resilience Act complements the Directive on measures for a high common level of cybersecurity across the Union (NIS2 cybersecurity framework), which entered into force last year. It is part of a series of comprehensive measures the EU is deploying to bolster the cybersecurity of an increasingly digital and connected Europe.

 


New rules to boost cybersecurity of EU’s critical entities and networks

The Commission has adopted the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive).

This implementing act details cybersecurity risk management measures as well as the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities. This is another major step in boosting the cyber resilience of Europe’s critical digital infrastructure.

This adopted implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms, to name a few. For each category of service providers, the implementing act specifies when an incident is considered significant, to whom it needs to be reported and in which timeframe.

The adoption of the implementing regulation coincided with the deadline for Member States to transpose the NIS2 Directive into national law. From 18 October 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures.

Read full press release.

More information:

Related topics

Source – EU Commission

 

Forward to your friends