EU to make manufacturers embed cybersecurity in digital products

First-of-its-kind legislation also requires manufacturers to report attacks.

Ben Wodecki

September 20, 2022

2 Min Read

First-of-its-kind legislation also requires manufacturers to report attacks.

The European Commission has unveiled a first-of-its-kind legislation that would mandate cybersecurity requirements for products with digital elements throughout their entire lifecycle.

The Cyber Resilience Act spells out rules covering the design, development and production of digital products — including requiring manufacturers to put in place processes to avoid vulnerabilities.

Digital products would include wireless and wired products, as well as software. Manufacturers would also be obligated to report actively exploited vulnerabilities and incidents.

“Computers, phones, household appliances, virtual assistance devices, cars, toys … each and everyone of these hundreds of millions of connected products is a potential entry point for a cyberattack,” said Thierry Breton, European Commissioner for the Internal Market, in a statement. “And yet, today most of the hardware and software products are not subject to any cyber security obligations.”

The regulation would apply to all products that are “connected either directly or indirectly to another device or network.”

Exceptions include products for which cybersecurity requirements are already set out in existing EU rules, for example, on medical devices, aviation or cars.

“We deserve to feel safe with the products we buy,” said Margrethe Vestager, European Commissioner for Competition. “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

Related stories:

Regulating artificial intelligence – a year after the EU’s proposed AI Act

EU adopts landmark rules regulating ‘harmful’ online content

EU unveils draft rules that ban AI systems posing a ‘clear threat’ to citizen’s rights and livelihoods

The Act was first announced by Commission president Ursula von der Leyen during her State of the European Union address in 2021.

The Commission considers cybersecurity among its top priorities — citing an increase in cyberattacks during the past few years as a factor in doubling down on protections. An impact assessment report that accompanied the Commission’s Radio Equipment Directive suggested that data breaches cost an estimated $10 billion annually.

Its new cybersecurity legislation will now be examined by both the European Parliament and Council. Should it be adopted, EU member states will have two years to adapt to the new requirements.

The vulnerability reporting rule, however, would apply one year from the date when the legislation enters into force.

About the Authors

Ben Wodecki

Assistant Editor

Get the newsletter
From automation advancements to policy announcements, stay ahead of the curve with the bi-weekly AI Business newsletter.