The European Commission has laid a proposal for a new Cyber Resilience Act to cyber-protect individuals and businesses that buy or use products or software with a digital component. This law is the first law in the European Union that addresses this subject matter, introducing mandatory cyber security requirements for products with digital elements.
The new law, formulated as an EU regulation, aims to deal with the inadequate level of cyber security inherent in many products, as well as inadequate security updates for products and software. The law also aims to address the difficulties consumers and businesses face in understanding the cyber security features of products, and in configuring them in a way that is cyber security-protected
The key points of the proposal include:
- Rules to elevate the cybersecurity of products with digital elements that are placed in the market.
- Essential requirements for the design, development, and production of products with digital components and obligations for operators concerning these products.
- Essential requirements for vulnerability treatment processes used by manufacturers to ensure the cyber security of products with digital elements during the entire product life cycle, as well as obligations for operators concerning these processes. Manufacturers will also have to report vulnerabilities and incidents that have been actively exploited.
- Rules on market supervision and enforcement.
The European Parliament and the Council will examine the proposed regulation. Once the regulation is adopted, the operators and EU member states will have two years to align to the requirements. As an exception, manufacturers will be required to report actively exploited vulnerabilities and incidents within one year from the date of entry into force of the regulation.
Click here to read the proposed EU regulation on horizontal cybersecurity requirements for products with digital elements.
Click here to read the EU Commission’s press release on the Cyber Resilience Act.