Cybersecurity: Ensure update obligation for the entire lifespan of a product

To date, consumers have no legal protection against cyber risks posed by connected devices. That is why vzbv welcomes the CRA proposal in which the EU aims to introduce EU-wide IT security requirements for the first time. In its position paper, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V. – vzbv) calls for sufficiently long time periods during which manufacturers are obliged to provide security updates as well as stringent certification requirements for critical products. 

vzbv urges the EU institutions engaging in trilogue negotiations to ensure that security updates are provided for a sufficiently long period, which may not be artificially shortened. Otherwise, consumers run the risk of using insecure devices, which pose cyber risks.

Similarly, simple self-certification of compliance with legal obligations by the manufacturers does not sufficiently address risks posed by smart home products used in private settings, products for children and wearables. Independent third parties are essential to assess critical products and ensure that they comply with comprehensive security standards.

It is also important that consumers can assert their rights in case of complaints and that consumer associations can bring representative actions before courts.