On Thursday, 15 September 2022, the European Commission proposed the first-ever EU-wide Cyber Resilience Act regulating essential cybersecurity requirements for products with digital elements and ensuring more secure hardware and software for consumers within the single market.
According to the Commission, cybersecurity of the entire supply chain is maintained only if all its components are cyber-secure. The existing EU legal framework covers only certain aspects linked to cybersecurity from different angles (products, services, crisis management, and crimes), which leaves substantial gaps in this regard, and does not determine mandatory requirements for the security of products with digital elements.
The proposed rules determine the obligations of the economic operators, manufacturers, importers, and distributors to abide by the essential cybersecurity requirements. Indeed, the rules would benefit different stakeholders; by ensuring secure products, businesses would maintain customers’ trust and their established reputation. Further, customers would have detailed instructions and necessary information while purchasing products which would in turn assure data and privacy protection.
According to the proposal, manufacturers must ensure that cybersecurity is taken into account in the planning, design, development, production, delivery, and maintenance phase, and cybersecurity risks are documented, further, vulnerabilities and incidents are reported. The regulation also introduces stricter rules for the duty of care for the entire life cycle of products with digital elements. Indeed, once sold, companies must remain responsible for the security of products throughout their expected lifetime, or a minimum of five years (whichever is shorter). Moreover, smart device makers must communicate to consumers “sufficient and accurate information” to enable buyers to grasp security considerations at the time of purchase and to set up devices securely. Importers shall only place on the market products with digital elements that comply with the requirements set out in the Act and where the processes put in place by the manufacturer comply with the essential requirements. When making a product with digital elements available on the market, distributors shall act with due care in relation to the requirements of the Regulation. Non-compliance with the cybersecurity requirements and infringements by economic operators will result in administrative fines and penalties (Article 53). Indeed, market surveillance authorities will have the power to order withdrawals or to recall non-compliant devices.
The Regulation defines horizontal cybersecurity rules while rules peculiar to certain sectors or products could have been more useful and practical. The new rules do not apply to devices whose cybersecurity requirements have already been regulated by the existing EU rules, such as aviation technology, cars, and medical devices.
The Commission’s press release announced that the new rules will have an impact not only in the Union but also in the global market beyond Europe. Considering the international significance of the GDPR rules, there is a potential for such an expected future. On another note, attempts to ensure cyber-secure products are not specific only to the EU, but different states have already taken similar measures. By comparison, the UK launched consultation ahead of potential legislation to ensure household items connected to the internet are better protected from cyber-attacks.
While the EU’s proposed Act is a significant step forward, it still needs to be reviewed by the European Parliament and the Council before it becomes effective, and indeed, if adopted, economic operators and the Member States will have twenty-four months (2 years) to implement the new requirements. The obligation to report actively exploited vulnerabilities and incidents will be in hand a year after the entry into force (Article 57).