AI Business is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

AI Security

EU to make manufacturers embed cybersecurity in digital products

Article ImageFirst-of-its-kind legislation also requires manufacturers to report attacks.

The European Commission has unveiled a first-of-its-kind legislation that would mandate cybersecurity requirements for products with digital elements throughout their entire lifecycle.

The Cyber Resilience Act spells out rules covering the design, development and production of digital products — including requiring manufacturers to put in place processes to avoid vulnerabilities.

Digital products would include wireless and wired products, as well as software. Manufacturers would also be obligated to report actively exploited vulnerabilities and incidents.

“Computers, phones, household appliances, virtual assistance devices, cars, toys … each and everyone of these hundreds of millions of connected products is a potential entry point for a cyberattack,” said Thierry Breton, European Commissioner for the Internal Market, in a statement. “And yet, today most of the hardware and software products are not subject to any cyber security obligations.”

The regulation would apply to all products that are “connected either directly or indirectly to another device or network.”

Exceptions include products for which cybersecurity requirements are already set out in existing EU rules, for example, on medical devices, aviation or cars.

“We deserve to feel safe with the products we buy,” said Margrethe Vestager, European Commissioner for Competition. “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

Related stories:

Regulating artificial intelligence – a year after the EU’s proposed AI Act

EU adopts landmark rules regulating ‘harmful’ online content

EU unveils draft rules that ban AI systems posing a ‘clear threat’ to citizen’s rights and livelihoods

The Act was first announced by Commission president Ursula von der Leyen during her State of the European Union address in 2021.

The Commission considers cybersecurity among its top priorities — citing an increase in cyberattacks during the past few years as a factor in doubling down on protections. An impact assessment report that accompanied the Commission’s Radio Equipment Directive suggested that data breaches cost an estimated $10 billion annually.

Its new cybersecurity legislation will now be examined by both the European Parliament and Council. Should it be adopted, EU member states will have two years to adapt to the new requirements.

The vulnerability reporting rule, however, would apply one year from the date when the legislation enters into force.

Trending Stories
All Upcoming Events

Upcoming Webinars

More Webinars

Latest Videos

More videos


More EBooks

Research Reports

More Research Reports
AI Knowledge Hub

Newsletter Sign Up

Sign Up