From “traditional” software to cloud services and Internet of Things (IoT) devices, our economies and societies are increasingly reliant upon “smart products” that contain code and can connect to each other, e.g. through the Internet. Such products are vulnerable to cyber security risk, and economic factors often play a major role in their relative ‘insecurity’. This report discusses how policy makers can address key challenges that prevent smart products from reaching an optimal level of digital security. Increasing transparency and information sharing, promoting co-operation (including at the international level), and ensuring the duty of care of supply-side actors (e.g. through the principles of security-by-design, security-by-default and responsible end-of-life) are important avenues for policy action. Policy makers can leverage many tools to achieve these objectives, from public procurement, certification and multi-stakeholder partnerships, to labels and ex ante legal requirements.