Ravi Nayyar on Nostr: THE CYBER RESILIENCE ACT HAS BEEN ADOPTED BY THE COUNCIL OF THE EUROPEAN UNION! The ...
THE CYBER RESILIENCE ACT HAS BEEN ADOPTED BY THE COUNCIL OF THE EUROPEAN UNION!
The EU is weeks away from becoming the first jurisdiction with a bespoke regulatory framework for the product security _and_ labelling of all software sold commercially in the EU (save stuff covered by other EU rules like cars and healthtech).
Yes, the Yanks (via EO14028–>NIST) defined critical software (the CRA has ‘important products with digital elements’ and ‘critical products with digital elements’), but the Yanks, for now at least, have only gone down the procurement route for regulating vendor SDLCs. The EU, on the other hand, is covering everything sold commercially (bar the stated exceptions) to anyone in the EU.
Big day for all us SDLC regulation people!
What happens next: Council and EuroParl President sign it —> Publication in the EU OJ —> Entry into force 20 days later —> Application of most provisions 36 months later.
Press release (includes link to final text):
https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/Published at
2024-10-11 01:16:31Event JSON
{
"id": "66edc0ef124e9995934ecd13de7f3d27f113a787cbf66941785ce9c0ecabb598",
"pubkey": "589bfa614b1b3933ec378b5c175de8551be67c44e2ddbce9f93eb4efcbd186df",
"created_at": 1728609391,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/ravirockks/statuses/113286145052908177",
"activitypub"
]
],
"content": "THE CYBER RESILIENCE ACT HAS BEEN ADOPTED BY THE COUNCIL OF THE EUROPEAN UNION!\n\nThe EU is weeks away from becoming the first jurisdiction with a bespoke regulatory framework for the product security _and_ labelling of all software sold commercially in the EU (save stuff covered by other EU rules like cars and healthtech).\n\nYes, the Yanks (via EO14028–\u003eNIST) defined critical software (the CRA has ‘important products with digital elements’ and ‘critical products with digital elements’), but the Yanks, for now at least, have only gone down the procurement route for regulating vendor SDLCs. The EU, on the other hand, is covering everything sold commercially (bar the stated exceptions) to anyone in the EU.\n\nBig day for all us SDLC regulation people!\n\nWhat happens next: Council and EuroParl President sign it —\u003e Publication in the EU OJ —\u003e Entry into force 20 days later —\u003e Application of most provisions 36 months later.\n\nPress release (includes link to final text): https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/",
"sig": "dcbee7c3e61aa327eac140cd88437d725c1aa8e7992ebf2783dd442f6b5668d56e84d2046c8dd32dc9d112d86b1e73dd3a3fa3c2c51f8c6457951434240cce22"
}