Consumers and their connected products will now be better protected thanks to the EU’s Cyber-Resilience Act. The law sets minimum cybersecurity rules for manufacturers of connected products to respect. 

Why is it important?

More and more products on sale are now connected to the internet. However many of these ‘smart products’ often lack basic cybersecurity, such as passwords to prevent from being hacked, or do not receive software updates for long enough, making consumers vulnerable to malevolent individuals or entities. The market failed to solve this issue alone, requiring government intervention which led to the EU Cyber-Resilience Act.

For consumers, this means:

• Manufacturers need to provide software updates to connected products for as long as they are meant to be used, or for at least five years for longer-lasting products such as a TV,

• Sensitive consumer products, such as smart home products, connected toys or health wearables should go through a more rigorous assessment to show that they conform to the law, 

• Consumers have a right to seek justice together if a product that does not meet these EU cybersecurity standards caused them damage.

What BEUC did

BEUC regularly provided evidence to the EU institutions about the need for greater cybersecurity of connected products. 

Since 2016, BEUC members conducted tests of connected devices used at home, repeatedly demonstrating that too many connected products sold on the EU market came with multiple cybersecurity risks and lacked the most basic security features. The #ToyFail campaign, launched by our Norwegian member Forbrukerrådet, showed that a children’s doll named Cayla could easily be hacked in a few simple steps. In Belgium, our member Testachats found that two thirds of household IoT products tested had serious vulnerabilities, while in the UK, Which? found that from a doorbell to a wi-fi router and a smart speaker, ethical hackers easily ripped through the security in all of the devices, which in most cases no longer received vital software security updates.

This evidence proved particularly impactful in terms of convincing the European Parliament to include certain consumer products in the list of critical products which deserve extra certification that they are fit for sale on the Single Market.