Companies that make hardware and software products will be given a 36-month period to adapt to the new legislation when it is passed.
The European Commission announced today (1 December) that it reached an agreement on the terms of the Cyber Resilience Act, a piece of legislation it first proposed in September 2022.
The Cyber Resilience Act was tipped as a way for the EU to make companies that manufacture internet-enabled devices for sale responsible for cybersecurity throughout the entire product life cycle. Manufacturers will have to provide consumers with security updates at regular intervals.
The legislation also aims to ensure that consumers are fully aware of their rights around the security of the devices that they purchase. All products on the market in the EU will need to comply with the Commission’s cybersecurity standards. Devices from baby monitors to fridges will soon bear a special CE marking that signifies they are compliant with the regulation.
Following today’s agreement, the legislation will go before the European Parliament and Council for formal approval. It is expected to enter into force on the 20th day following its publication in the official journal. Once it enters into force, manufacturers, importers and distributors of hardware and software products will be given a 36-month period to adapt to the new rules. However, manufacturers will be given a more limited period of 21 months to comply with reporting obligations for incidents and vulnerabilities.
European officials welcomed the latest developments in the legislation. Thierry Breton, Commissioner for the Internal Market, said that the law would guarantee that digital devices within the EU embody “robust cybersecurity from their conception throughout their lifecycle”.
“This cybersecurity by design is essential for the security of both consumers and society at large,” he added.
“Consumers need to feel safe with the products available on the EU market,” said Věra Jourová, Vice President for Values and Transparency. “The Cyber Resilience Act agreed today will ensure the digital products we use at home and at work comply with strong cybersecurity standards. Those that place these products on the market must be held responsible for their safety.”
Companies that do not adhere to the new laws may be fined and their products may be withdrawn from circulation in the EU. The Cyber Resilience Act is part of the EU’s wider plan to crack down on what it sees as threats to safety and human rights presented by Big Tech. Leo Moore, partner and head of technology at law firm William Fry recently told SiliconRepublic.com how the bloc is enforcing various regulations to ensure tech companies are being held responsible for things such as the use of personal data, AI and cybersecurity.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.