
EU-wide cybersecurity rules for digital products
Mandatory cybersecurity requirements for products with digital elements is included in a Cyber Resilience Act proposed by the European Commission saying the first ever EU-wide legislation of its kind aims to protect consumers and businesses from products with inadequate security features,
“An increase of cyber-attacks during the coronavirus crisis has shown how important it is to protect hospitals, research centres and other infrastructure”, the Commission says.
“With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021, ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever.”
“With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.”
The proposal includes:
- Rules for the placing on the market of products with digital elements to ensure their cybersecurity;
- Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
- Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
- Rules on market surveillance and enforcement.
The Commission said the new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market.
“While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market. EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.”
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.
If approved by the European Parliament and the Council, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply already one year from the date of entry into force.
Moonshot News is an independent European news website for all IT, Media and Advertising professionals, powered by women and with a focus on driving the narrative for diversity, inclusion and gender equality in the industry.
Our mission is to provide top and unbiased information for all professionals and to make sure that women get their fair share of voice in the news and in the spotlight!
We produce original content, news articles, a curated calendar of industry events and a database of women IT, Media and Advertising associations.