It may come as a surprise that the one of the biggest-selling smart light bulbs worldwide has critical vulnerabilities that allow it to be turned off, made to flicker, and even be taken over remotely by someone outside your house. Another little-known fact is that the water network in San Fransisco was hacked last year, and the water treatment turned off to allow polluted water into the drinking system. Cyber resilience is now a critical factor in all our lives.

The Cyber Resilience Act (’CRA’) published by the European Commission on September 15, 2022, is a proposal to regulate cybersecurity requirements for products with digital elements. The aim is to bolster cybersecurity rules to ensure more secure hardware and software products.

Additionally, the Act places a duty on Member States to provide advice and guidance to those providers to take appropriate measures to ensure continuity of service.

Two main objectives aiming to ensure the proper functioning of the internal market as proposed in the act are:

  • Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
  • Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

The Act splits the products into three categories,

  • Class I – covering networking, authentication, patching and micro-processors
  • Class II – covering operating systems, smartcards, digital certificate systems, industrial control systems
  • Unclassified or Default

depending on the criticality of the cybersecurity vulnerabilities. According to the Commission, the default category will cover 90 percent of connected devices, including photo-editing software, video games, and other commonplace software and devices.

HewardMills will continue to monitor developments on what fits into the Class I, Class II categories, the scope and analysis of the act, and the exemption criteria.



If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at