(BRUSSELS) – The European Commission presented Thursday a proposal for a new EU Cyber Resilience Act with a view to protecting consumers and businesses from products with inadequate security features.
An increase of cyber-attacks during the coronavirus crisis showed the importance of protecting hospitals, research centres and other infrastructure. Strong action in the area is needed to future-proof the EU’s economy and society. It is estimated that the annual costs of data breaches are at least EUR 10 billion and the annual costs of malicious attempts to disrupt traffic on the internet are estimated to be at least EUR 65 billion (impact assessment report accompanying the Commission Delegated Regulation supplementing Radio Equipment Directive Delegated Regulation).
This new EU-wide legislation introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle. The Act would ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU: in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.
“Computers, phones, household appliances, virtual assistance devices, cars, toys each and every one of these hundreds of million connected products is a potential entry point for a cyberattack,” said Internal Market Commissioner Thierry Breton: “And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching 5.5 trillion in 2021 (Joint Research Centre report (2020): “Cybersecurity Our Digital Anchor, a European perspective”), ensuring a high level of cybersecurity and reducing vulnerabilities in digital products one of the main avenues for successful attacks is more important than ever. With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.
The measures proposed are based on the New Legislative Framework for EU product legislation and will lay down:
- (a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
- (b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
- (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
- (d) rules on market surveillance and enforcement.
The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.
While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market. EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.
EU Cyber Resilience Act - background guide
Factsheet on the EU Cyber Resilience Act
Proposal for a Cyber Resilience Act
Factsheet on the new EU Cybersecurity Strategy
Factsheet on the Proposal for a Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive)
Factsheet on Cybersecurity: EU External Action
Questions and Answers: New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient
Proposal for a Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive)
Proposal for a Directive on the resilience of critical entities