The EU & Cybersecurity defined
Cybersecurity is one of the Commission’s top priorities and a cornerstone of a digital and connected Europe. The rise in cyber attacks during the coronavirus crisis has shown how important it is to protect hospitals, research centres and other infrastructure. It is estimated that the annual cost of data breaches is at least EUR 10 billion and that the yearly cost of malicious attempts to disrupt internet traffic is at least EUR 65 billion (impact assessment report accompanying the Commission Delegated Regulation supplementing the Radio Equipment Directive). Decisive action in this area is needed to make the EU economy and society resilient to future developments.
The first-of-its-kind legislation at the EU level establishes mandatory cybersecurity requirements for products with digital elements throughout their lifecycle of modern threats. As ransomware attacks hit an organization every 11 seconds worldwide, and the estimated annual cost of cybercrime reached EUR 5.5 trillion in 2021 (Joint Research Center report 2020): “Cybersecurity – Our Digital Anchor, a European perspective” “Cybersecurity — Our digital anchor, a European perspective”), guaranteeing a high level of cybersecurity and reducing the vulnerabilities of digital products — one of the main avenues for successful attacks — is more critical than ever. With the development of smart and connected products, a cybersecurity incident in one product can impact the entire supply chain, potentially causing severe disruption to economical and social activities across the internal market, undermining security or even threatening human life.
Features and Characteristics
The measures proposed today are based on the new legislative framework for EU product law and will establish the following;
Rules for placing products on the market with digital elements to guarantee cyber security. Basic requirements for designing, developing, and producing products with digital features and obligations for economic operators about those products. Basic requirements for the vulnerability handling procedures implemented by manufacturers to guarantee the cybersecurity of products with digital elements throughout the life cycle and obligations for economic operators concerning those procedures. Manufacturers should also report actively exploited vulnerabilities and incidents—market surveillance and enforcement rules.
The Vice-President of the Commission, Margaritis Schinas, noted that “the cyber resilience act is our response to the modern security threats that are now ubiquitous in our digital society. The EU has created a cybersecurity ecosystem by establishing rules on critical infrastructure, preparedness and response, and certification of cybersecurity products.
Today we complete this ecosystem through an act that brings security to all our homes, businesses and connected products. Cybersecurity is a societal issue and no longer an industry issue.”
The Great Phenomena of EU Measures for Cybersecurity Products
Commission Executive Vice-President Margrethe Vestager said: “We have a right to feel that the products we buy in the single market are safe. Just as we can trust a CE-marked toy or fridge, the Cyber Resilience Act will ensure that the connected objects and software we buy comply with strong cyber security safeguards. The act will shift responsibility where it belongs, to those who place the products on the market.”
With the new rules, the responsibility will be transferred to manufacturers, who must ensure compliance with the safety requirements of products with digital elements available on the EU market, reports APE-MPE. While other jurisdictions around the world consider these issues, the cyber resilience act will likely become an international benchmark beyond the EU internal market.
The proposed regulation will apply to all products directly or indirectly connected to another device or network. Some exceptions exist for products for which cybersecurity requirements are already provided in existing EU rules, for example, medical devices, aviation, or cars.
It is now up to the European Parliament and the Council to consider the draft cyber resilience act. Once approved, economic operators and Member States will have two years to adapt to the new requirements.
An exception to this rule is the obligation for manufacturers to report on currently exploited vulnerabilities and incidents, which will already be in effect one year from the effective date, as it requires fewer organizational adjustments than the other new obligations. The Commission will regularly review the Cyber Resilience Act and report on its operation.