Connected devices are increasingly pervasive in the Single Market, and so are the cyber threats and cyberattacks that affect them. The European Commission has identified the persistently sub-optimal level of cybersecurity of connected devices as the result of structural regulatory and market failures. To address this problem, Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA) establishes horizontal cybersecurity requirements for products with digital elements. Early legal scholarship has largely concentrated on the CRA’s technical and compliance architecture, leaving its liability and consumer redress implications underexplored. Against this backdrop, this Chapter aims to address that gap by analysing avenues of consumer redress for cybersecurity-related harm caused by connected products, particularly where CRA’s requirements and obligations are not respected by relevant economic operators. It does so by examining the interaction between the CRA, the Representative Actions Directive (Directive (EU) 2020/1828), and the revised Product Liability Directive (Directive (EU) 2024/2853), with particular attention to their combined impact on collective and individual enforcement.
Chiara, P.G. (2026). EU Products Cybersecurity, Liability and Consumer Protection. Torino : Routledge - Giappichelli.
EU Products Cybersecurity, Liability and Consumer Protection
Pier Giorgio Chiara
2026
Abstract
Connected devices are increasingly pervasive in the Single Market, and so are the cyber threats and cyberattacks that affect them. The European Commission has identified the persistently sub-optimal level of cybersecurity of connected devices as the result of structural regulatory and market failures. To address this problem, Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA) establishes horizontal cybersecurity requirements for products with digital elements. Early legal scholarship has largely concentrated on the CRA’s technical and compliance architecture, leaving its liability and consumer redress implications underexplored. Against this backdrop, this Chapter aims to address that gap by analysing avenues of consumer redress for cybersecurity-related harm caused by connected products, particularly where CRA’s requirements and obligations are not respected by relevant economic operators. It does so by examining the interaction between the CRA, the Representative Actions Directive (Directive (EU) 2020/1828), and the revised Product Liability Directive (Directive (EU) 2024/2853), with particular attention to their combined impact on collective and individual enforcement.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.



