© European Union
From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives. Less apparent to many users is the security risk such products and software may present.
The Commission’s proposal for a new Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.
The problem addressed by the proposed regulation is two-fold. First is the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software. Second is the inability of consumers and businesses to currently determine which products are cybersecure, or to set them up in a way that ensures their cybersecurity is protected.
The proposed Cyber Resilience Act would guarantee:
- harmonised rules when bringing to market products or software with a digital component;
- a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain;
- an obligation to provide duty of care for the entire lifecycle of such products.
When the proposed regulation enters into force, software and products connected to the internet would bear the CE marking to indicate they comply with the new standards. Requiring manufacturers and retailers to prioritise cybersecurity, customers and businesses would be empowered to make better-informed choices, confident of the cybersecurity credentials of CE-marked products.
The proposed regulation announced in the 2020 EU Cybersecurity Strategy, would complement existing legislation, specifically the NIS2 Framework. It would apply to all products connected directly or indirectly to another device or network except for specified exclusions such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation and cars.
The European Parliament and the Council will now deliberate on the proposed Cyber Resilience Act. Upon entry into force, stakeholders will have 24 months in which to adapt to new requirements, with the exception of a more limited 12-month grace period in relation to the reporting obligation on manufacturers.
Related Content
Big Picture
The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.
See Also
Operators of Essential Services (OES), National Cybersecurity Certification Authorities (NCCAs) and National Competent Authorities (NCAs) for cybersecurity are among the selected applicants that will receive €11 million in funding by the Connecting Europe Facility cybersecurity...
The European Cybersecurity Network and Cybersecurity Competence Centre help the EU retain and develop cybersecurity technological and industrial capacities.
The Stakeholder Cybersecurity Certification Group was established to provide advice on strategic issues regarding cybersecurity certification.
The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.
The EU cybersecurity certification framework for ICT products enables the creation of tailored and risk-based EU certification schemes.
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.