EU Cyber Resilience Act: What you need to know

15 Sep 2022

EU commissioner Margrethe Vestager. Image: Claudio Centonze/European Commission

Manufacturers selling in the EU may soon become responsible for the cybersecurity of a product throughout its lifecycle under proposed rules.

The European Commission has unveiled its proposals to bolster the security of hardware and software products being sold in the EU.

Published today (15 September), the Cyber Resilience Act aims to hold manufacturers of devices that can connect to the internet responsible for cybersecurity throughout the product lifecycle.

It would also allow consumers to be properly informed about the security of the products they buy and use.

“While manufacturers of products with digital elements sometimes face reputational damage when their products lack security, the cost of vulnerabilities is predominantly borne by professional users and consumers,” the European Commission explained in a Q&A.

“This limits the incentives of manufacturers to invest in secure design and development and to provide security updates.”

The act aims to ensure that products with “digital elements” – anything that can connect to the internet and may be susceptible to cyberattacks – can only be available in the EU if they meet ‘“specific essential cybersecurity requirements” and factor in security in the product’s design and development.

“Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards,” said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age.

“It will put the responsibility where it belongs, with those that place the products on the market.”

‘Europe is only as strong as its weakest link’

According to the European Commission, hardware and software products are increasingly subject to successful cyberattacks – costing the global economy an estimated €5.5trn in 2021.

“When it comes to cybersecurity, Europe is only as strong as its weakest link – be it a vulnerable member state or an unsafe product along the supply chain,” said internal market commissioner Thierry Breton.

He warned that “hundreds of millions” of connected products, from computers and smartphones to virtual assistant devices and cars, are potential entry points for cyberattacks.

“And yet, today, most of the hardware and software products are not subject to any cybersecurity obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”

The European Parliament and Council will now examine the draft act. If adopted, member states would have two years to adapt to the new requirements – with the exception of the requirement for manufacturers to report vulnerabilities, which would apply within one year.

“The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products,” said Margaritis Schinas, vice-president for Promoting our European Way of Life.

“Today, we are completing this ecosystem through an act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic