Cybersecurity: Ensure update obligation for the entire lifespan of a product

vzbv publishes recommendations to mark the start of the trilogue negotiations on the Cyber Resilience Act (CRA)

To date, consumers have no legal protection against cyber risks posed by connected devices. That is why vzbv welcomes the CRA proposal in which the EU aims to introduce EU-wide IT security requirements for the first time. In its position paper, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V. – vzbv) calls for sufficiently long time periods during which manufacturers are obliged to provide security updates as well as stringent certification requirements for critical products. 

Mann in kurzen Hosen versucht in seinem Schlafzimmer, einen Saugroboter zu reparieren.

Credit: Elizaveta - Adobe Stock

vzbv urges the EU institutions engaging in trilogue negotiations to ensure that security updates are provided for a sufficiently long period, which may not be artificially shortened. Otherwise, consumers run the risk of using insecure devices, which pose cyber risks.

Similarly, simple self-certification of compliance with legal obligations by the manufacturers does not sufficiently address risks posed by smart home products used in private settings, products for children and wearables. Independent third parties are essential to assess critical products and ensure that they comply with comprehensive security standards.

It is also important that consumers can assert their rights in case of complaints and that consumer associations can bring representative actions before courts.


Recommendation for a consumer friendly Cyber Resiliance Act (CRA)

Recommendations of the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv) on the Cyber Resilience Act trilogue negotiations | August 2023

PDF | 218.96 KB




Press and Media Relations +49 30 25800-525



Marielle Findorff

Policy Officer Digital and Media +49 30 258 00-0