EU Cyber Resilience Act reaches political consensus to strengthen cybersecurity standards for products

The European Commission announced Friday that a political agreement has been reached between the European Parliament and the Council on the Cyber Resilience Act, which was proposed by the Commission in September 2022. The new regulation will require all products entering the EU market to meet stringent cyber security standards. Expected to come into effect in early 2024, the development marks a significant milestone in the ongoing battle against the escalating menace posed by cyber criminals and other malicious entities. 

The initial EU-wide legislation of its kind introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle. The Act will ensure that products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle; improve transparency on the security of hardware and software products; and business users and consumers benefit from better protection.

Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation’s requirements and therefore can be sold in the EU.

The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates for several years after the purchase. This period has to reflect the time products are expected to be used. Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.

“Consumers need to feel safe with the products available on the EU market,” Věra Jourová, vice president for values and transparency, said in a Friday media statement. “The Cyber Resilience Act agreed today will ensure the digital products we use at home and at work comply with strong cybersecurity standards. Those that place these products on the market must be held responsible for their safety.”

Margaritis Schinas, vice-president for Promoting our European Way of Life pointed out that the safety of all products circulating in the EU has always been a priority and a success story. “With the Cyber Resilience Act, we are filling a gap by completing the safety rules so that security by design applies to all products that reach EU consumers and users. The new rules require every interconnected product sold in the EU to be cyber secure and make sure that our businesses and homes become more secure,” he added.

“I welcome the agreement reached by the Parliament and the Council on this important regulation my services tabled,” Thierry Breton, Commissioner for Internal Market, said. “This Act guarantees that digital devices within the EU embody robust cybersecurity from their conception throughout their lifecycle. This cybersecurity by design is essential for the security of both consumers and society at large.”

Last week, European Council chief Charles Michel emphasized the need for a customized ‘cyber force’ to enhance the defensive capabilities of the European Union. During his speech at the annual conference of the European Defence Agency (EDA) on Thursday, Michel proposed the establishment of a ‘European cyber force’ as a crucial element in Europe’s defense strategy.

“It would help us to take a position of leadership in cyber response operations and information superiority, and I believe it should be equipped with offensive capabilities,” he explained.

In October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with 17 U.S. and international partners, released Monday an updated ‘Secure by Design’ principles joint guide. The document included expanded principles and guidance for technology providers to increase the safety of their products used around the world, while also offering additional insights into essential principles and guidance and has been endorsed by eight more international cybersecurity agencies.

The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy and was announced in the 2021 State of the European Union address as part of the plan to build a Europe fit for the Digital age. It will complement existing legislation, specifically the NIS2 Framework, adopted in 2022. It will apply to all products connected directly or indirectly to another device or network except for specified exclusions, such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation, and cars. 

A key element of the proposal is the coverage of the whole lifecycle of the products, and in particular the provision of obligations for manufacturers and developers to define a support period that reflects the time the product is expected to be in use and to provide security updates during that period.

Such obligations would be established for economic operators, starting from manufacturers, up to distributors and importers, concerning the placing on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.

The problem addressed by the regulation is two-fold. First is the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software. Second is the inability of consumers and businesses to currently determine which products are cyber secure or to set them up in a way that ensures their cybersecurity is protected.

The Cyber Resilience Act will guarantee harmonized rules when bringing to market products or software with a digital component; a framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain; and an obligation to provide duty of care for the entire lifecycle of such products.

Member States will appoint market surveillance authorities, which would be responsible for the enforcement of the Cyber Resilience Act obligations.

“In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled,” the agency disclosed. “Each of these authorities will be able to fine companies that do not adhere to the rules. The Cyber Resilience Act establishes maximum levels for administrative fines, which should be provided for in national laws in cases of non-compliance.”

The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20^th day following its publication in the Official Journal. Upon entry into force, manufacturers, importers, and distributors of hardware and software products will have 36 months to adapt to the new requirements, except a more limited 21-month grace period concerning the reporting obligation of manufacturers for incidents and vulnerabilities.

Last month, the European Council approved conclusions on the initial EU Space Strategy for Security and Defence. The Council emphasized the EU’s enduring dedication to international law and the values and guiding principles established within the United Nations framework. Additionally, EU member states have reaffirmed their readiness to continue working to establish norms, rules, and principles of responsible behaviors across the full range of space activities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.