Cybersecurity: finally more security for smart products

Smart watches, robotic vacuum cleaners, digital locks – connected devices are part of many consumers’ everyday lives. However, this also means new everyday security problems for consumers. To date, consumers have had to rely on the good will of manufacturers when it comes to cybersecurity. The EU wants the Cyber Resilience Act (CRA) to change this. The legislation will establish a legal framework that obliges all manufacturers across the EU to ensure their connected products meet cybersecurity standards. The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv) welcomes the new planned legislation, but criticises the fact that there is no obligation to provide security updates for a product’s full lifespan.

Ramona Pop, Executive Director of vzbv, says the following about the conclusion of the trilogue negotiations of the European Commission, European Parliament, and the Council of the European Union:

Consumers are right to expect that their smart watch or fitness armband are and will remain secure for as long as they are worn. EU-wide legislation to address the cybersecurity of connected everyday products is thus overdue.

We welcome the fact that, in future, manufacturers will have to comply with requirements that are critical to security, and offer updates. What we cannot understand, however, is why manufacturers do not have to provide updates for the entire lifetime of a product. It appears that policymakers gave in to pressure from manufacturers on this very important point. This is neither consumer friendly nor sustainable.

Another downside is that the new rules do not enter into force until 36 months from now, meaning consumers remain unprotected until the end of 2026. Those are three wasted years.

On 30 November 2023, the European Commission, the European Parliament, and the Council of the European Union concluded their trilogue negotiations on the CRA. However, implementation and enforcement of the CRA only starts at the end of 2026 at the earliest.

vzbv welcomes the fact that consumer products such as smart watches, smart home servers, smart toys, and smart security products are finally being recognised as products for which cybersecurity is critical. These products are thus subject to special requirements before entering the market.

Manufacturers also have to provide security updates for connected products. However, vzbv criticises the fact that the envisioned support period (for the provision of updates) does not necessarily cover a product’s full lifespan.

vzbv also welcomes the fact that, in future, representative actions will be permitted in the area of cybersecurity. vzbv will thus be entitled to take legal action in the event of cybersecurity violations.