Summary

The EU Cyber Resilience Act (CRA) aims to enhance consumer rights by ensuring that products with digital elements are secure by default, provide free security updates, and are transparent about their cybersecurity features. This empowers consumers to make informed decisions when purchasing such products.

Relevant CRA Provisions

• Recital (10)
• Recital (64)
• Recital (2)
• Recital (31)
• Recital (56)
• Article 6

Detailed Explanation

The CRA mandates that products with digital elements must be designed and produced with an appropriate level of cybersecurity, based on the risks they pose. This includes being made available on the market without known exploitable vulnerabilities and with a secure by default configuration. Manufacturers must ensure that vulnerabilities can be addressed through security updates, which should be provided free of charge. Additionally, products should include functions for the automatic notification, distribution, download, and installation of security updates, with an option for users to deactivate automatic updates. Manufacturers are also required to inform users about vulnerabilities and the end of the support period for their products.

Obligations for Stakeholders

• Manufacturers: Must ensure products meet essential cybersecurity requirements, provide free security updates, and inform users about vulnerabilities and the end of support periods. They should also facilitate the automatic installation of security updates where applicable.
• Consumers: Are empowered to make informed purchasing decisions due to increased transparency and accountability in the security features of products.