"EU Cyber Resilience Act Primarily Aimed At Beefing Defenses of 'Smart' Connected Devices"
Smart devices and other connected devices, which have long been the weakest link in networks, may soon be forced to strengthen their defenses by the EU Cyber Resilience Act. The proposed legislation would apply to all products with "digital elements" in the European Union, requiring manufacturers to meet basic design standards as well as provide a means of updating and patching devices as vulnerabilities emerge. Manufacturers of connected devices would also be required to communicate key security features to customers and ensure that customers understand how to enable and maintain these features after the device is set up. The penalties proposed are similar to those in the General Data Protection Regulation (GDPR), with a maximum fine of 2.5 percent of global annual turnover. The EU Cyber Resilience Act defines connected devices as anything directly or indirectly connected to other devices or networks, casting a wide net intended to cover the entire smart device market. Some product categories are exempt from the proposed new rules, but only those that already have their own set of regulations. Some examples of exempted product categories are automobiles, aircraft, and medical devices. This article continues to discuss the proposed rules and potential impact of the EU Cyber Resilience Act.