- This week, the European Commission announced its proposal for the Cyber Resilience Act, which aims to protect consumers and businesses from digitally linked devices that lack fundamental cyber security safeguards.
- Essential requirements for vulnerability management strategies used by manufacturers to maintain the cybersecurity of goods with digital elements throughout their entire life cycle, as well as the responsibilities of economic operators in connection with these activities
- The Cyber Resilience Act defines maximum administrative penalty levels for noncompliance that should be established in national legislation.
- The European Parliament and Council will now consider the draft Cyber Resilience Act.
- The Cyber Resilience Act would help safeguard Europe’s economic and collective security by creating cybersecurity by design.
The European Commission unveiled its proposal for the Cyber Resilience Act this week, intending to protect consumers and companies from digitally linked items that lack basic cyber security protections. The legislation will be mandatory for all EU member states, but it will also have global ramifications because any corporation selling items into the EU will be required to comply.
The objective of the Cyber Resilience Act
The Act, announced in September 2021, draws on the EU Cybersecurity Strategy 2020. The goal is to make digital devices, particularly those classed under the “Internet of Things” designation, more secure for persons living and working in the EU and to raise manufacturers’ duty to meet minimal criteria. The new rules will influence everything from smart speakers to vehicles, toys, and digitally connected factories and warehouses.
Margrethe Vestager, Executive Vice-President for Europe Fit for the Digital Age, stated, “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
The European Commission stated while introducing the Act that ransomware assaults occur every 11 seconds around the world and that the predicted worldwide yearly cost of cybercrime will reach €5.5 trillion in 2021. As a result, providing a high degree of cybersecurity and mitigating vulnerabilities in digital products – one of the key pathways for successful assaults – is more crucial than ever, according to the report.
According to the documentation, a cybersecurity breach in one product can influence the whole supply chain, potentially disrupting economic and social activity across the EU internal market.
What will Cyber Resilience Act do?
The proposals made today are based on the New Legislative Framework for EU Product Legislation and will establish:
- Rules for putting items with digital aspects on the market to assure their cybersecurity.
- Essential criteria for designing, developing, and manufacturing products, including digital elements and economic operators’ duties in connection to these items.
- Essential criteria for vulnerability management methods implemented by manufacturers to maintain the cybersecurity of goods with digital elements over their entire life cycle and economic operators’ duties in connection to these activities. In addition, manufacturers would be required to disclose actively exploited vulnerabilities and events.
- Market surveillance and enforcement rules.
Margaritis Schinas, Vice-President for Promoting our European Way of Life, stated that, “The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products. Today, we are completing this ecosystem through an Act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
According to a fact sheet provided by the European Commission, producers will self-assess 90% of items, including hard drives, games, smart speakers, and so on. Because of their important nature, 10% of goods will be subjected to third-party testing, including network interfaces, firewalls, CPUs, etc. The member states shall establish market surveillance authorities in charge of enforcing the Cyber Resilience Act’s responsibilities.
In the event of non-compliance, market surveillance authorities may demand operators to stop the noncompliance and eliminate the risk, prohibit or limit the availability of a product on the market, or order that the product is withdrawn or recalled. Each of these authorities will have the authority to penalize corporations that do not follow the guidelines. The Cyber Resilience Act specifies maximum administrative fine amounts that should be included in national legislation for non-compliance.
The European Parliament and Council will now examine the draft Cyber Resilience Act. Economic operators and member states will have two years to adjust to the new criteria when enacted.
Thierry Breton, Commissioner for the Internal Market, stated, “When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack.”
Nonetheless, most hardware and software products today are not subject to cyber security responsibilities. The Cyber Resilience Act would assist defend Europe’s economic and collective security by establishing cybersecurity by design.