Cybersecurity regulations also relevant to occupational health and safety.

SW – 04/2022

In a connected world, cybersecurity is also of fundamental importance for occupational safety and health. Safety functions on machines and systems can be manipulated accidentally or intentionally and lead not only to damage but also to considerable danger for workers.

One of the main reasons for "successful" cyber attacks is inadequate security measures. The European Commission wants to counter this with an initiative on horizontal cybersecurity requirements, i.e. requirements that are not limited to just one product category.

In preparation for the impact assessment on the initiative, stakeholders have the opportunity to comment on problems and various solutions. At the same time, the European Commission has launched a public consultation with specific questions on "cybersecurity of digital products and ancillary services".

Legal framework

In addition to general regulations on product liability, the applicable EU legal framework for digital products includes various legal provisions for products, such as the Medical Devices Regulation or the Machinery Directive, some of which deal with cybersecurity. However, the existing legal framework does not cover all types of digital products.

In addition to a wide range of hardware, this also affects non-embedded software products. Also specific cybersecurity requirements that cover the entire lifecycle of a product remain unconsidered. However, lifecycle requirements are critical for digital products and ancillary services, according to the European Commission.

It remains to be seen how the European Commission intends to ensure the improvement of the cybersecurity of products and services. In addition to legally non-binding initiatives, such as the introduction of voluntary measures, guidelines and recommendations, it presents various options for legally binding regulations for discussion. One possibility is "ad hoc" regulatory action, in which existing legislation is supplemented or amended as needed.

Law with horizontal cybersecurity requirements

A combined approach of binding and non-binding regulations is also conceivable. Horizontal regulation of cybersecurity requirements for a broad range of tangible and intangible digital products and related services, including non-embedded software is cited as another alternative.

Background: Cybercrime

According to the European Commission's estimate, the impact of cybercrime cost the global economy 5.5 trillion Euros in 2020, twice as high as the 2015 figure. What is scary is not just the cost but the sheer range of products prone to attack, ranging from insulin pumps and pacemakers to industrial cranes and blast furnaces in steel mills.

In her 2021 State of the Union address, European Commission President Ursula von der Leyen had already called for the EU to play a leading role in cybersecurity and announced a European cyber resilience law. The results of the consultations are to be incorporated into the further procedure.

A proposal from the European Commission, likely a regulation, is planned for the third quarter of 2022. For more information on the consultations, in which participation is open until 25 May 2022, please visit the following Link.