European Union (EU) proposal Cyber Resilience Act That will form the nucleus of a global standard for connected devices and software that will have far-reaching implications beyond the bloc’s borders, according to security experts.
First announced by President Ursula von der Leyen 12 months ago – set by the European Commission (EC) on 15 September 2022 – the legislation builds on the EU’s Cyber Security Strategy and Security Union Strategy.
This will ensure digital products such as wireless and wired products and the software they run are made safer for consumers across the EU.
Similar to the UK Product Safety and Telecommunication Infrastructure Bill – currently making its way through the House of Lords – it forces manufacturers to provide ongoing security support and software patches, and imposes mandatory cyber security requirements and obligations to provide consumers with adequate information about the security of their products.
“We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE mark, the Cyber Resilience Act will ensure that the connected objects and software we buy adhere to robust cybersecurity protections. It will have a responsibility to those where it markets the products,” said Margrethe Vestager, Executive Vice-President of Europe Fit for the Digital Age.
EU Internal Market Commissioner Thierry Breton added: “When it comes to cyber security, Europe is only as strong as its weakest link: whether it’s a weak member state or an insecure product along the supply chain.
“Computers, phones, home appliances, virtual assistance devices, cars, toys… each of these millions of connected products is a potential entry point for a cyber attack – and yet most hardware and software products are not subject to any cybersecurity obligations. Cyber by Design By introducing security, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
The EC said the new rules will balance security responsibilities on manufacturers to ensure they comply with the new requirements, ultimately benefiting end users across the EU by increasing transparency, promoting trust and ensuring better protection of fundamental rights to privacy.
The EC acknowledged that the law would likely become an international point of reference outside the EU’s internal market, and Kieran Hollom, Blackberry Vice-Presidents for UK and Ireland, Eastern Europe, Middle East and Africa concur.
“Today, as the European Union launches its Cyber Resilience Act to protect European consumers and businesses from the risks posed by insecure digital products, the UK must sit up and take notice. This law should not be seen as a European requirement, but in fact a new global standard,” says Halliom.
“The new EU law also highlights the measures British companies must take, particularly when it comes to the use of potentially unsafe smart devices for home work. In fact, recent research by BlackBerry found that only 21% of UK domestic workers said their employer had established a cyber security policy for the use of smart devices in the home office. As such, there is a huge opening for cybercriminals looking to target UK enterprises, with knock-on effects on the employees themselves.
“While smart devices may seem innocuous, bad actors can easily access home networks with connections to company devices – or company data on consumer devices – and steal millions worth of intellectual property. Therefore, it is vital that British companies assess their cyber security defenses now, when mandatory cyber security requirements are introduced for hardware and software products used by employees for home working.”
Rod Freeman, Partner and Head of Product Practice at portera law firm, said: “The proposed new rules are part of a wider regulatory intervention in cyber security in the EU. It will mean a new and much higher level of regulatory scrutiny and accountability for manufacturers of connected products. The impact of compliance on the Internet of Things [IoT] Product companies should not be underestimated.
“With product safety enforcement and consumer protection already a major focus across the European Union, the Cyber Resilience Act will significantly add to the growing burden of compliance challenges and product recall risks for companies making connected products. The new rules will likely bring one more regulatory agency into force for cyber security for connected products issues, making the legal landscape more challenging and risky for companies in this space.”
The legislation will now go before the European Parliament and Council for examination and, once adopted, member states will have the usual two years to introduce new requirements.