European Commission publishes cyber resilience law
New EU rules for cybersecurity of hardware and software products
CC – 09/2022
The European Commission is responding to
the increasing threat of cyber attacks and to this end, presented its proposal
for a new Cyber Resilience Act on 15/09/22. The draft
regulation aims to introduce binding cyber security standards for all
digital hardware and software products. The act builds on the EU's
2020 Cybersecurity Strategy.
In a connected world, cybersecurity is also
of fundamental importance for occupational safety and health. Safety functions
on machines and systems can be manipulated accidentally or intentionally and
lead not only to damage but also to considerable danger for workers.
Obligations for manufacturers
Manufacturers of digitally connected products must demonstrate compliance with EU safety requirements when placing
them on the market, regardless of whether the products are manufactured in the
EU or not. They also have a duty of care to regularly fix and report
vulnerabilities. Safety requirements must be met throughout the life cycle of a
product. Violations can result in fines of up to EUR 15 million or 2.5 per cent
of the total worldwide annual turnover.
Transparency for consumers
Consumers should be adequately informed
about the cyber security of the products they buy and use. By asking
manufacturers and retailers to prioritise cybersecurity, customers and
businesses would be empowered to make better-informed decisions related to the
cybersecurity of CE-marked products, according to the European Commission's
plan.
Networked products, two risk categories
The proposed regulation will apply to all
products that are directly or indirectly connected to another device or
network, such as baby monitors, refrigerators or fitness wristbands. There are
some exceptions that are already covered by existing EU cybersecurity rules,
such as medical devices, aerospace products and cars. The European Commission
introduces two categories of critical products. For low-risk products, a
self-assessment must be carried out. For critical ones, third parties should
carry out a conformity assessment. If this is positive, the manufacturers
and developers would issue an EU declaration of conformity and be able to prove
this with the CE mark.
Next steps
The European Parliament and the Member
States in the Council will now discuss the contents following the European Comission's draft
legislation. Following the adoption of the regulation, companies and Member
States have two years to adapt to the new requirements. Manufacturers are to
comply with their obligation to report security vulnerabilities after only one
year from the date of entry of this regulation into force.