European Cyber Resilience Act
Cybersecurity regulations also relevant to occupational health and safety.
SW – 04/2022
In a connected
world, cybersecurity is also of fundamental importance for occupational safety
and health. Safety functions on machines and systems can be manipulated
accidentally or intentionally and lead not only to damage but also to
considerable danger for workers.
One of
the main reasons for "successful" cyber attacks is inadequate
security measures. The European Commission wants to counter this with an
initiative on horizontal cybersecurity requirements, i.e. requirements that are
not limited to just one product category.
In
preparation for the impact assessment on the initiative, stakeholders have the
opportunity to comment on problems and various solutions. At the same time, the
European Commission has launched a public consultation with specific questions
on "cybersecurity of digital products and ancillary services".
Legal framework
In
addition to general regulations on product liability, the applicable EU legal
framework for digital products includes various legal provisions for products,
such as the Medical Devices Regulation or the Machinery Directive, some of
which deal with cybersecurity. However, the existing legal framework does not
cover all types of digital products.
In
addition to a wide range of hardware, this also affects non-embedded software
products. Also specific cybersecurity requirements that cover the entire
lifecycle of a product remain unconsidered. However, lifecycle requirements are
critical for digital products and ancillary services, according to the European
Commission.
It
remains to be seen how the European Commission intends to ensure the
improvement of the cybersecurity of products and services. In addition to
legally non-binding initiatives, such as the introduction of voluntary
measures, guidelines and recommendations, it presents various options for
legally binding regulations for discussion. One possibility is "ad
hoc" regulatory action, in which existing legislation is supplemented or
amended as needed.
Law with horizontal cybersecurity requirements
A combined
approach of binding and non-binding regulations is also conceivable. Horizontal
regulation of cybersecurity requirements for a broad range of tangible and
intangible digital products and related services, including non-embedded
software is cited as another alternative.
Background: Cybercrime
According
to the European Commission's estimate, the impact of cybercrime cost the global
economy 5.5 trillion Euros in 2020, twice as high as the 2015 figure. What is scary
is not just the cost but the sheer range of products prone to attack, ranging
from insulin pumps and pacemakers to industrial cranes and blast furnaces in
steel mills.
In
her 2021 State of the Union address, European Commission President Ursula von
der Leyen had already called for the EU to play a leading role in cybersecurity
and announced a European cyber resilience law. The results of the consultations
are to be incorporated into the further procedure.
A
proposal from the European Commission, likely a regulation, is planned for the
third quarter of 2022. For more information on the consultations, in which
participation is open until 25 May 2022, please visit the following Link.