European Commission lays out plans for EU-wide Cyber Resilience Act to secure connected products

This week the European Commission has presented its proposal for the Cyber Resilience Act, which aims to protect consumers and businesses from digitally connected products with inadequate cyber security features. The legislation will be mandated for all EU member states, but will also likely have globally implications given any company selling products into the EU will have to comply. 

The Act was announced in September 2021 and builds on the 2020 EU Cybersecurity Strategy. The aim is to ensure that digital products, often those that are grouped under the ‘Internet-of-Things’ label, are more secure for those living and working the EU and will increase the responsibility of manufactures to comply with minimum requirements. 

The new regulation will impact everything from smart speakers, to cars, toys and digitally connected factories and warehouses. 

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: 

We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.

Upon announcing the Act, the European Commission said that ransomware attacks hit an organisation every 11 seconds around the globe and that the estimated global annual cost of cybercrime reached €5.5 trillion in 2021. As such, it adds, ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever. 

The documentation also notes that a cybersecurity incident in one product can have an impact on the entire supply chain, which could lead to disruption of economic and social activities across the EU internal market. 

What it means

The measures proposed today are based on the New Legislative Framework for EU product legislation and will lay down:

• rules for the placing on the market of products with digital elements to ensure their cybersecurity;

• essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;

• essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;

• rules on market surveillance and enforcement.

Margaritis Schinas, Vice-President for Promoting our European Way of Life, said:

The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products. Today, we are completing this ecosystem through an Act that brings security in everyone's home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.

According to a fact sheet released by the European Commission, 90% of products will self assessed by manufacturers - including hard drives, games, smart speakers, etc. Some 10% of products will undergo some sort of third party assessment, due to their critical nature - these include such things as network interfaces, firewalls, CPUs etc. 

Member States will appoint market surveillance authorities, which will be responsible for the enforcement of the Cyber Resilience Act obligations.

In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules. The Cyber Resilience Act establishes maximum levels for administrative fines that should be provided in national laws for non-compliance.

The European Parliament and Council will now examine the draft Cyber Resilience Act. Once adopted, economic operators and Member States will have two years to adapt to the new requirements. 

Thierry Breton, Commissioner for the Internal Market, said: 

When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. 

And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe's economy and our collective security.

My take

Much like GDPR, this will have ramifications far beyond the EU. Any company selling products into the EU will have to comply with the new standards that will be laid out, meaning that this new Act will likely become the reference point for global organizations looking to minimimum security requirements for connected products.