Thursday 15 Sep 2022 @ 14:10
EU News
Printable version

State of the Union: New EU cybersecurity rules ensure more secure hardware and software products

The Commission yesterday presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.

SOTEU Banner

The Act, announced by President Ursula von der Leyen in September 2021 during her State of the European Union address, and building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU: in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, yesterday said:

We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

Margaritis Schinas, Vice-President for Promoting our European Way of Life, yesterday said:

“The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products. Today, we are completing this ecosystem through an Act that brings security in everyone's home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”

Thierry Breton, Commissioner for the Internal Market, yesterday said:

"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe's economy and our collective security.

With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021 (Joint Research Centre report (2020): “Cybersecurity – Our Digital Anchor, a European perspective”), ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever. With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.

The measures proposed yesterday are based on the New Legislative Framework for EU product legislation and will lay down:

  1. rules for the placing on the market of products with digital elements to ensure their cybersecurity;
  2. essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
  3. essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
  4. rules on market surveillance and enforcement.

The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.

While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU's internal market. EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.

The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.

Next Steps

It is now for the European Parliament and the Council to examine the draft Cyber Resilience Act. Once adopted, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply already one year from the date of entry into force, since they require fewer organisational adjustments than the other new obligations. The Commission will regularly review the Cyber Resilience Act and report on its functioning.

Click here for the full press release

 

Original article link: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_5374

Share this article

Latest News from
EU News

EU increases humanitarian aid to Gaza by €25 million

07/11/2023 13:25:00

As part of the EU's continued support to people in Gaza, the Commission will provide a further €25 million in humanitarian aid. This quadruples EU humanitarian assistance to over €100 million for Gaza this year.

President von der Leyen marks the EU's commitment to the Partnership for Global Infrastructure and Investment (PGII) during the event hosted at the G20 in New Delhi

12/09/2023 15:25:00

President von der Leyen recently (09 September 2023) spoke at the G20 event on PGII hosted by Prime Minister Modi and President Biden.

Summer 2023 Economic Forecast: Easing growth momentum amid declining inflation and robust labour market

12/09/2023 13:25:00

The European Commission yesterday presented the Summer 2023 Economic Forecast

Climate change: Deal on a more ambitious Emissions Trading System (ETS)

20/12/2022 10:33:00

On Saturday night, MEPs and EU governments agreed to reform the Emissions Trading System to further reduce industrial emissions and invest more in climate friendly technologies.

EU and Ukraine sign €100 million for the rehabilitation of war-damaged schools *

20/12/2022 09:25:00

Exactly three months after President von der Leyen's announcement in her 2022 State of the Union Address, the European Commission and the Government of Ukraine have signed a €100 million support package for the reconstruction and rehabilitation of schooling facilities damaged in Russia's full-scale war of aggression against Ukraine.

NextGenerationEU: European Commission endorses positive preliminary assessment of Portugal's second request for €1.8 billion disbursement under the Recovery and Resilience Facility

19/12/2022 16:33:00

The European Commission recently (16 December 2022) endorsed a positive preliminary assessment of Portugal's payment request for €1.8 billion of grants and loans under the Recovery and Resilience Facility (RRF), the key instrument at the heart of NextGenerationEU.

'Fit for 55': Council and Parliament reach provisional deal on EU emissions trading system and the Social Climate Fund

19/12/2022 15:25:00

The Council and the European Parliament reached a provisional political agreement on important legislative proposals of the ‘Fit for 55’ package that will further reduce emissions and address their social impacts.

Ukraine: EU agrees ninth package of sanctions against Russia

19/12/2022 14:33:00

The Commission welcomes the Council's adoption of a ninth package of hard-hitting sanctions against Russia for its aggression against Ukraine. 

Council and European Parliament agree on new safety requirements for machinery products

19/12/2022 13:25:00

The Council and the European Parliament negotiators have reached a provisional agreement on the regulation for machinery products. The proposed legislation transforms the 2006 machinery directive into a regulation. 

Recruiters Handbook: Download now and take the first steps towards developing a more diverse, equitable, and inclusive organisation.