7 posts tagged with "Compliance"

On 3 December 2025, the European Commission published its first Frequently Asked Questions document on the Cyber Resilience Act (CRA). This is the first official implementation guidance since the regulation was published in November 2024, and it provides important clarifications on how manufacturers should approach compliance.

The FAQ is a substantial document covering scope, product classification, manufacturer obligations, vulnerability reporting, conformity assessment, and timelines. For product teams preparing for the December 2027 deadline, Chapters 4 (Manufacturer Obligations) and 5 (Reporting) contain the most actionable guidance.

The European Commission has published Implementing Regulation (EU) 2025/2392, providing the detailed technical descriptions that define exactly which products fall into the CRA's "Important" and "Critical" risk categories. This is the first major piece of secondary legislation under the Cyber-Resilience Act, and it removes much of the ambiguity around product classification.

On June 27, 2025, the US Food and Drug Administration (FDA) published a landmark update to its premarket cybersecurity guidance, superseding the version from September 2023. This new document provides critical clarity for medical device manufacturers by consolidating previous guidances and formally defining the legal obligations for "cyber devices" under Section 524B of the FD&C Act.

On 16 June 2025, the UK's Information Commissioner's Office (ICO) published new draft guidance aimed directly at the manufacturers and developers of Internet of Things (IoT) products. This is a significant development for any company placing connected devices on the UK market, providing much-needed regulatory clarity on how data protection law applies to the IoT ecosystem.

On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.

The NIS 2 Directive (EU 2022/2555) was published in the Official Journal of the EU in December 2022, officially replacing the original NIS Directive. This new legislation significantly expands the scope of Europe's cybersecurity rules, imposing stricter risk-management and reporting obligations on a wider range of critical sectors.

In a move with major implications for the connected device market, the European Commission published Delegated Regulation (EU) 2022/30 in January 2022. This act officially activated the dormant cybersecurity clauses within the Radio Equipment Directive (RED), turning what were once recommendations into hard legal requirements.