September 20, 2022
First-of-its-kind legislation also requires manufacturers to report attacks.
The European Commission has unveiled a first-of-its-kind legislation that would mandate cybersecurity requirements for products with digital elements throughout their entire lifecycle.
The Cyber Resilience Act spells out rules covering the design, development and production of digital products — including requiring manufacturers to put in place processes to avoid vulnerabilities.
Digital products would include wireless and wired products, as well as software. Manufacturers would also be obligated to report actively exploited vulnerabilities and incidents.
“Computers, phones, household appliances, virtual assistance devices, cars, toys … each and everyone of these hundreds of millions of connected products is a potential entry point for a cyberattack,” said Thierry Breton, European Commissioner for the Internal Market, in a statement. “And yet, today most of the hardware and software products are not subject to any cyber security obligations.”
The regulation would apply to all products that are “connected either directly or indirectly to another device or network.”
Exceptions include products for which cybersecurity requirements are already set out in existing EU rules, for example, on medical devices, aviation or cars.
“We deserve to feel safe with the products we buy,” said Margrethe Vestager, European Commissioner for Competition. “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
The Act was first announced by Commission president Ursula von der Leyen during her State of the European Union address in 2021.
The Commission considers cybersecurity among its top priorities — citing an increase in cyberattacks during the past few years as a factor in doubling down on protections. An impact assessment report that accompanied the Commission’s Radio Equipment Directive suggested that data breaches cost an estimated $10 billion annually.
Its new cybersecurity legislation will now be examined by both the European Parliament and Council. Should it be adopted, EU member states will have two years to adapt to the new requirements.
The vulnerability reporting rule, however, would apply one year from the date when the legislation enters into force.