In-depth reporting, data and actionable intelligence for policy professionals – all in one place.
From connected fridges to security cameras, the EU wants products to be less hackable.
BRUSSELS — From toys and fridges to robots and microchips, internet-connected devices sold in Europe will have to abide by strict rules to make sure they don’t get hacked too easily.
European Union negotiators late Thursday agreed on a new cybersecurity law to secure the so-called internet of things (IoT). The Cyber Resilience Act (CRA) is Europe’s attempt to stop insecure digital devices — increasingly taking over homes and workplaces — from unleashing cyber threats.
It is a cornerstone of a wider EU strategy to respond to myriad threats facing European governments, industry and citizens — often from cybercriminals and state-backed hacking groups from Russia, China and other foreign powers.
The idea for an IoT security law started when Europe faced record-number distributed-denial-of-service attacks (DDoS) in 2016, when IoT-connected devices like cameras were hijacked by hackers, turned into large “botnet” systems like the Mirai botnet, and sent internet traffic to websites and servers, making them unavailable to users.
The botnets revealed that many internet-connected devices were all too easily tampered with, letting malicious actors take over security cameras or compromise an internet-connected toy.
For a lot of industries — especially those outside of “critical infrastructure” — cybersecurity is also still largely unregulated and left up to the market. That has exposed everyone from government services to private companies, which have faced increasingly intrusive attempts to access their systems through vulnerabilities or by hacking suppliers.
Europe’s IoT cyber law attempts to solve the problem by imposing strict requirements on anyone selling digital products across the bloc.
Products carrying the CE marking will need to meet a minimum level of cybersecurity checks, including keeping security updates available, checking the cybersecurity of supply chains and better sharing vulnerabilities with cybersecurity authorities.
Here’s what you need to know about the law.
Under the rules, companies will have to tell authorities about glitches in their software and hardware systems within 24 hours and provide more extensive reporting within 72 hours, to speed up sharing warnings about risks and attacks.
Controversially, they’ll even have to tell authorities of vulnerabilities that are being actively exploited by hackers. Those reported vulnerabilities will be shared with both national authorities and the European Union’s Cybersecurity Agency (ENISA).
That’s led to worries that Europe would create a massive database with active loopholes — a treasure trove for hackers that, if breached, could lead to a multiplication of attacks.
Consumer groups were passionate about the CRA requiring manufacturers to provide security updates throughout the product’s expected lifetime.
Negotiators landed on language that said products will need to be supported for a minimum of five years — unless the device’s expected lifetime is shorter. That means consumers can rest assured that phones, fridges, cameras and other devices will keep getting security updates for a decent amount of time.
The law focuses on connected devices across a range of sectors, including “critical” areas like finance, aerospace, transport, energy and others; they also face tough cybersecurity requirements under the EU’s NIS2 Directive.
Companies could be fined up to €15 million or 2.5 percent of their yearly revenue — depending on which is higher — if they do not ensure their product is cybersecure by undertaking assessments of their products and reporting vulnerabilities.
Fines of up to €10 million or 2 percent of a company’s revenue will apply if importers or distributors fail to ensure a product has the CE marking.
The new law makes a point of allowing national regulators to consider “non-technical risk factors” when determining the significance of a cybersecurity risk.
“Dependencies on high-risk suppliers of products with digital elements may pose a strategic risk that needs to be addressed at Union level, especially when the products with digital elements are intended for the use by essential entities,” the text reads.
Terms like “high-risk suppliers” echo the EU’s 5G Security Toolbox legislation, which led to national restrictions on using Chinese telecom equipment from firms Huawei and ZTE.
The new IoT law could lead to more targeted measures restricting the use of products made in China and other countries and legal systems distrusted by European member countries.
The text needs to be formally signed off on by the European Parliament plenary meeting and national governments at the Council of the EU.
Industry and governments will have three years to adapt to the new requirements — meaning they will only really apply in early 2027.
For some rules, such as reporting vulnerabilities, the EU wants firms to comply by mid-2026.
Log in to access content and manage your profile. If you do not have an account you can register here.
Forgot your password?
By logging in, you confirm acceptance of our POLITICO Privacy Policy.
About The Author
More Stories
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections