EU Cyber Resilience Act introduces new cybersecurity rules

BRUSSELS – The European Commission have released the draft of their sweeping new cybersecurity legislation for consideration by the European Parliament and Council.

On September 15 presented the proposal for the Cyber Resilience Act which aims to protect customers and businesses from products with inadequate security features. Originally announced in 2021 during President Ursula von der Leyen’s State of the European Union Address is considered the first of its kind, introducing a broad array of cybersecurity mandates for products and their “digital elements”.

“We deserve to feel safe with the products we buy in the single market,” said Margarethe Vestager, Vice-President for a Europe Fit for the Digital Age. “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

What that means for corporations selling smart hardware and software is that they’ll be responsible for a product and its cybersecurity throughout its entire life cycle. In a world where ransomware attacks are occurring as often as every 11 seconds and damages from cyber crimes reach into the trillions of dollars, businesses will be forced to rethink their approach in the EU if they want to keep doing business there.

"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain,” said Thierry Breton, Commissioner for the Internal Market “Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe's economy and our collective security.”

While the world watches the commission is clearly hoping other nations and governing bodies are taking notes from their efforts. “While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU's internal market,” the commission states in their press release. “EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.”

Specific requirements for manufacturers post adoption of the legislation includes: Documentation of all cybersecurity risks, reports of exploited vulnerabilities and incidents, support of a product and security updates through its life time (or five years, whichever is shorter), and clear as well as understandable instructions for the use of products with digital elements.

The Cyber Resilience Act can be found here, for more information on it and other proposed legislation you can visit the commissions website at ec.europa.eu.