- The European Commission has published the new EU Cyber Resilience Act which is the first ever EU-wide legislation of its kind.
- The act aims to increase the security of the entire cyber ecosystem, from end users to manufacturers, while powering the functioning of the internal market.
- The act sets dozens of rules and increases the responsibility of wireless, and wired products as well as software manufacturers for minimizing cyber attacks.
On 15 September, the European Commission published the Cyber Resilience Act (CRA), which aims to establish general cybersecurity rules for connected devices and services in the European market. Currently, EU market legislation applies to certain products, most of the hardware and software products are not covered by any EU legislation that addresses their safeguarding.
EU increases the responsibility of manufacturers
The Cyber Resilience Act is the first ever EU-wide legislation of its kind. It was first presented by President Ursula von der Leyen in September 2021 during her State of the European Union address, building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy. The program’s goal is to ensure that digital products such as wireless, wired devices, and software are more secure for end users within European Union. Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said:
« We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market. »
The Cyber Resilience Act will increase the responsibility of manufacturers by forcing them to provide security support and software updates to address identified vulnerabilities. It will also allow consumers to receive proper information about the cybersecurity of the devices they purchase. The Act will minimize the number of cybersecurity exploits resulting in the cost of exploit handling as well as credibility damage for the producers.
The act contains a lengthy of obligations that a manufacturer should comply with. The manufacturer will have responsibilities before the product is released, during its use as well as during the security breach. In case of a non-compliance situation, companies will face up to €15,000,000 or up to 2.5% of their total worldwide annual turnover for the previous financial year, whichever is higher.
Living in the era of smart devices
As we live in the era of using connected devices, more and more such devices are in demand, and a cyber attack on one product can have an impact on the entire supply chain. It may lead to severe disturbance of social and economic activities and sometimes even becomes life-threatening. According to Cybersecurity Ventures, reported in the Joint Research Centre report, ransomware attacks occur every 11 seconds targetting an organization around the globe. The annual estimated cost of cybercrime has reached €5.5 trillion in 2021 globally.