Proposal for a New Cyber Resilience Act
On 15 September 2022, the Commission proposed a new Cyber Resilience Act that builds upon the 2020 EU Cybersecurity Strategy (→ eucrim 4/2020, 282–283) and the 2020 EU Security Union Strategy (→ eucrim 2/2020, 71–72). With this Act, the Commission aims to offer consumers and businesses better protection from products with inadequate security features by introducing mandatory cybersecurity requirements for products with digital elements throughout their entire lifecycle.
The Commission had noticed that hardware and software products are becoming increasingly subject to successful cyberattacks, especially that such products suffer from two major problems, which are costly for users and society: First, a low level of cybersecurity, which transpires through widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them. Second, an insufficient understanding of and access to information by users, preventing them from choosing products with adequate cybersecurity features or from using them in a secure manner.
In order to counter these problems, the Commission is aiming to ensure the proper functioning of the internal market by pursuing two main general objectives:
- To establish favorable conditions for the creation of secure products with digital components by ensuring that hardware and software products are released onto the market with fewer vulnerabilities and that manufacturers treat security seriously throughout a product's life cycle;
- To establish conditions that encourage users to consider cybersecurity when deciding on and utilizing digital items.
The proposal further sets out four specific objectives:
- To ensure that manufacturers improve the security of products with digital elements, from the design and development phase and throughout their entire lifecycle;
- To establish a comprehensive cybersecurity framework that makes compliance easier for hardware and software manufacturers;
- To increase the transparency of security attributes in products with digital components;
- To make the security features of items with digital components more transparent.
It is now for the Council and the European Parliament to present their views on the draft Regulation and enter into negotiations. Once adopted, economic operators and Member States will have two years to adapt to the new requirements.