By: Kate Fazzini

As the EU's Cyber Resilience Act moves toward full application, manufacturers of connected products are confronting something new: binding security-by-design and vulnerability-handling obligations for the entire supported life of a device, backed by real penalties.

An Atlantic Council commentary described the CRA as a potential global baseline — a Brussels-effect moment for product security — while cautioning that its reach into open-source software and its documentation demands could burden smaller developers. The through-line is a shift from voluntary hygiene to enforceable duty across the product lifecycle.

This is familiar ground for JLCW readers. "The Internet of Things (IoT) in a Post-Pandemic World" (Volume 9, Issue 1) examines the governance gaps that let insecure connected devices proliferate, and the Journal's ICS-security scholarship — "A Case Study on Improving ICS Cyber Security Legislation" — makes the case for legislating security into industrial and connected systems rather than bolting it on.

For the full discussion of connected-device regulation, read the Journal of Law and Cyber Warfare, Volume 9, Issue 1. – Kate Fazzini