This is the first ever EU-wide legislation that aims to protect consumers and companies from connected devices with inadequate security features. All the smart devices connected to the internet, such as TVs or even fridges, will have to comply with tough and mandatory EU cybersecurity rules. That means digital elements produced or distributed in the EU market will soon need to comply with the “Cyber Resilience Act” to avoid penalties.
“We deserve to feel safe with our products in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards,” said Margrethe Vestager, Executive Vice-President for Europe Fit for the Digital Age. “It will put the responsibility where it belongs, with those that place the products on the market.”
Ransomware attacks every 11 seconds
Based on stats presented by the European Commission, it is estimated that the global annual cost of cyberattacks reached €5.5 trillion in 2021. On a global level, ransomware attacks occur every 11 seconds.
With the “Cyber Resilience Act”, the EU wants to reduce the vulnerabilities in digital products and to ensure a high level of cybersecurity. According to the European Commission, a cybersecurity incident can impact the entire supply chain and could even lead to severe disruption of economic and social activities across the internal market.
“The Cyber Resilience Act is our answer to modern security threats that are now omnipresent in our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products,” Margaritis Schinas, Vice-President for Promoting our European Way of Life, noted. “Today, we are completing this ecosystem through an Act that brings security in everyone’s home, in all our businesses, and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
According to Thierry Breton, Commissioner for the Internal Market, “when it comes to cybersecurity, Europe is only as strong as its weakest link be it a vulnerable Member State or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, and toys, each one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
The new rules
The measures proposed by the European Commission are based on the New Legislative Framework for EU product legislation. As described in the “Cyber Resilience Act”, the EU wants to ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle and to ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
With the new mandatory cybersecurity rules, the EU will enhance the transparency of security properties of products with digital elements and enable businesses and consumers to use products with digital features securely. The proposed regulation will apply to all products connected directly or indirectly to another device or network.
The “Cyber Resilience Act” is now being examined by the European Parliament and the Council. Once adopted, economic operators and the Member States will have two years to adapt to the new requirements.