EU proposes new cybersecurity act
The EU has presented a new cybersecurity act to defend against ransomware attacks, during State of Union address
The Commission has presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
The act, first mentioned by President Ursula von der Leyen during her State of the European Union address in 2021, and building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU, in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, so the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
EU as pioneer
Margaritis Schinas, Vice-President for Promoting our European Way of Life, added: “The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products.
“Today, we are completing this ecosystem through an act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021 (Cybersecurity – Our Digital Anchor, a European perspective), ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever. With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.
The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.
Beyond the EU
Thierry Breton, Commissioner for the Internal Market, said: “When it comes to cybersecurity, Europe is only as strong as its weakest link; be it a vulnerable member state, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack.
“And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market. EU standards based on the act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.