The European Commission has proposed a new Cyber Resilience Act which aims to protect consumers and businesses from products with inadequate security features. It introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
The Act builds on the 2020 Eu Cybersecurity Strategy and the 2020 EU Security Union Strategy, and will aim to ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU. In addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.
According to the EU, ransomware attacks hit an organisation every 1.1 seconds around the world and the estimated global annual cost of cybercrime reached €5.5 trillion in 2021. Therefore, ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is very important. With the growth in smart and connected products, a cybersecurity incident in one product can affect the entire supply chain, possibly leading to sever disruption of economic and social activities, undermining security or even becoming life-threatening.
The proposals are based on the New Legislative Framework for EU product legislation and will contain:
- rules for the placing on the market of products with digital elements to ensure their security;
- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to them;
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents; and
- rules on market surveillance and enforcement.
The new rules will rebalance responsibility towards manufacturers, who will be required to ensure conformity with security requirements of products with digital elements that are made available on the EU market. The aim is that will enhance the transparency of the security properties and promote trust in products with digital elements, as well as ensuring better protection of their fundamental rights, such as privacy and data protection.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.
The European Parliament and the Council will now review the draft proposal. Once adopted, economic operators and member states will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the date of entry into force. The Commission will regularly review the Cyber Resilience Act and report on its functioning.
Reaction to the proposals has been mixed. The Computer & Communications Industry Association
supports the Commission’s objective of strengthening cyber resilience across the EU. However, it believes that this proposal introduced extensive red tape that could slow down, or even stall, the roll-out of new technologies and services that Europe needs. The European Consumer Association has also
welcomed the proposal but says it needs to be improved to meet consumer needs, for example by recognising the need for independent third-party assessment of certain products that pose higher risks to consumers, such as smart home systems, which can endanger the homeowner if hacked. It says that the proposal should also require manufacturers to continuously address security vulnerabilities by providing software updates for the product’s expected lifespan. There should also be more effective redress and compensation mechanisms for consumers who are harmed by a product not meeting cybersecurity requirements.