Understanding the Regulatory Approach of the Cyber Resilience Act: Protection of Fundamental Rights in Disguise?

The swift proliferation of connected devices in the Internal Market brought attention to their weak cybersecurity standard, reflected by widespread and oftentimes unpatched vulnerabilities and successful cyberattacks. Attacks on cyber-physical systems have a critical impact not only on the Union’s economy but also on consumers’ health, safety, and fundamental rights. Against the background of the failure of the cybersecurity market of connected devices, the 10 December 2024 entered into force Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, CRA). After casting light on the three regulatory foundational choices underpinning this EU legal act in the field of cybersecurity (ie, horizontal approach, risk-based approach, product safety approach), the article investigates the extent to which the CRA enhances the protection of fundamental rights, as claimed in the Explanatory Memorandum of the Commission’s proposal.