The European Commission issued a proposal for a Cyber Resilience Act that introduces cybersecurity rules for manufacturers and developers of Internet of Things (IoT) digital products. The proposal is based on the security-by-design principle aimed at ensuring that manufacturers of digital devices are responsible for security at the design and engineering stage and throughout the life cycle of products sold.
If everything is connected, everything can be vulnerable. […]
was stated by Ursula von der Leyen, President of the European Commission, at the State of the Union 2021.
The proposed Cyber Resilience Act has been put forward by the European Commission and is now before the European Council and Parliament for final approval. Following public consultations concluded last May, the Cyber Resilience Act continues the implementation of the EU’s digital transformation by 2030.
What is new about the proposal is the disruptive effect it would bring to the global legislative landscape on the Internet of Things. The Cyber Resilience Act would fill regulatory gaps with respect to IoT software and hardware products that are still unregulated in the digital realm, harmonizing the relevant framework of standards and increasing legal certainty for single market players.
The European Commission has focused on two main problems:
- The low number of updates of Internet of Things digital products once they are placed on the market which shows a substantial lack of interest on the part of the manufacturer to any security problems in the after-sale phase; and
- The lack of awareness and knowledge on the consumer side regarding the cybersecurity of the devices being used.
How are these issues addressed within the Cyber Resilience Act? The key to preventing ransomware attacks lies in two concepts: cybersecurity-by-design and transparency in the security of an IT product throughout its life-cycle. The European Commission’s proposal requires that products with digital elements can only be made available on the EU single market if they meet all necessary security measures. For example, they will be required to ensure after-sales support for a reasonable time, aimed at supporting customers in coping with cyber threats.
In practice, manufacturers will be assessed for compliance with the standards prescribed in the European act. Depending on the classification of the product’s level of criticality, the assessment would be performed either by the manufacturer itself or by a third party. Passing the inspection allows manufacturers to affix the CE certificate to their goods, declaring their compliance with EU standards and being able to place them freely on the single market.
The purpose of the proposal is to increase consumer confidence in digital products sold in Europe, which aspires to strengthen its “Security Union Agenda,” benefiting businesses and consumers alike. Indeed, the former would reduce the costs associated with incidents arising from cybersecurity problems with their products, while end consumers would enjoy greater clarity when purchasing and using IT devices.
Should the European Commission’s proposal pass the scrutiny of the other two co-legislators, EU member states and economic operators would have two years to comply (12 months for the obligation to report any actively exploited vulnerabilities).
The digital world has so far welcomed the proposed Cyber Resilience Act, at a time when the issue of digital security becomes crucial for businesses and consumers. The European Information Security Agency (ENISA) has sounded the alarm on this phenomenon, reporting how, in 2021, a ransomware attack occurred every 11 seconds. No industry sector can claim to be immune from a threat that, globally, caused some 20 billion euros in damage last year.
On a similar topic, you may find interesting the article “ENISA 2022 ransomware report gives insights also on regulatory measures to be undertaken“.