Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

Author (Corporate)
Series Details COM (2022) 454
Publication Date 15/09/2022
Content Type , ,


Legislative initiative tabled by the European Commission on 15 September 2022, setting out a Cyber Resilience Act (CRA) aimed at protecting consumers and businesses from products with inadequate security features. This is a text with EEA relevance.

Further information:

The cybersecurity of products with digital elements has a strong cross-border dimension. In addition, incidents initially affecting a single entity or Member State often spread within minutes across the entire internal market. While existing legislation applies to certain products, most of the hardware and software products are not yet covered by any framework tackling their cybersecurity.

Four specific objectives are set out in this proposal:

  • ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
  • ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
  • enhance the transparency of security properties of products with digital elements;
  • enable businesses and consumers to use products with digital elements securely.

The draft Regulation was first announced in the European Commission's Cybersecurity Strategy, and it entails amendments to Regulation (EU) 2019/1020. It was formally tabled on 15 September 2022, following the annual State of the European Union (SOTEU) address delivered by the President of the European Commission.

Source Link
Related Links
Commentary and Analysis
Orgalim: News, 15/09/2022: Cyber Resilience Act: A crucial step forward
Digital Europe: Press Release, 15/09/2022: Cyber Resilience Act: a big step forward for digital resilience but too much too soon
DR2 Consultants: Blog, 16/09/2022: European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?

Bloomberg, 07/09/2022: Web-Connected Devices May Have to Meet New EU Cybersecurity Rules
EurActiv, 15/09/2022: Commission presents Cyber Resilience Act targeting Internet of Things products
Euronews, 15/09/2022: Brussels plans to introduce cybersecurity requirements for connected devices
Reuters, 15/09/2022: EU proposes rules targeting cybersecurity risks of smart devices
The Independent (UK), 15/09/2022: EU wants to toughen cybersecurity rules for smart devices
Politico, 15/09/2022: EU pitches cyber law to fix patchy Internet of Things
Forbes Magazine, 15/09/2022: EU Aims To Boost Security Of Connected Devices With New Cyber Resilience Act
EurActiv, 16/09/2022: EU chief announces cybersecurity law for connected devices

EUR-LEX: SWD(2022)282: Staff Working Document accompanying the Proposal - Impact Assessment Report
EUR-LEX: SWD(2022)283: Staff Working Document accompanying the Proposal - Executive Summary of the Impact Assessment Report
European Commission: Better Regulation: Have Your Say: Cyber resilience act – new cybersecurity rules for digital products and ancillary services
European Commission: Policies: EU Cyber Resilience Act
European Commission: Press Release, 15/09/2022: State of the Union: New EU cybersecurity rules ensure more secure hardware and software products
European Commission: State of the Union: EU Cyber Resilience Act - Questions & Answers (15 September 2022)

Subject Categories ,
Subject Tags , ,
International Organisations