The upcoming Cyber Resilience Act (CRA) requires manufacturers of smart products to produce cyber-resilient products and uphold cyber resiliency during their lifecycle by supporting them for their expected use time. But what do consumers actually consider a “reasonable” use time – and which cyber risks arise when societal expectations outlast manufacturer support?
In this talk, we will discuss policy, market surveillance, and societal challenges, drawing on recent empirical data from consumers across Europe about the use times of smart products. Research shows that people generally expect their devices to last – and stay secure – for many years, often far beyond the current support periods or the baseline of five years provided by the CRA.
We will use perspectives from both academic research (Delft University of Technology (TU Delft)) and market surveillance (RDI) and show the increasing impact on cyber resilience of millions of smart products entering and remaining in society, and the role of the CRA. We will explain how easy-to-use smart products hide an increasing complexity of components with separate life expectancies and various impacts on user experience.
As a takeaway, we will highlight options for manufacturers and policymakers to better understand and meet real-life consumer lifecycle expectations and usage and to address the potential cyber risks that arise when those expectations are not met.
