New EU rules for cybersecurity of hardware and software products

CC – 09/2022

The European Commission is responding to the increasing threat of cyber attacks and to this end, presented its proposal for a new Cyber Resilience Act on 15/09/22. The draft regulation aims to introduce binding cyber security standards for all digital hardware and software products. The act builds on the EU's 2020 Cybersecurity Strategy.

In a connected world, cybersecurity is also of fundamental importance for occupational safety and health. Safety functions on machines and systems can be manipulated accidentally or intentionally and lead not only to damage but also to considerable danger for workers.

Obligations for manufacturers

Manufacturers of digitally connected products must demonstrate compliance with EU safety requirements when placing them on the market, regardless of whether the products are manufactured in the EU or not. They also have a duty of care to regularly fix and report vulnerabilities. Safety requirements must be met throughout the life cycle of a product. Violations can result in fines of up to EUR 15 million or 2.5 per cent of the total worldwide annual turnover.

Transparency for consumers

Consumers should be adequately informed about the cyber security of the products they buy and use. By asking manufacturers and retailers to prioritise cybersecurity, customers and businesses would be empowered to make better-informed decisions related to the cybersecurity of CE-marked products, according to the European Commission's plan.

Networked products, two risk categories

The proposed regulation will apply to all products that are directly or indirectly connected to another device or network, such as baby monitors, refrigerators or fitness wristbands. There are some exceptions that are already covered by existing EU cybersecurity rules, such as medical devices, aerospace products and cars. The European Commission introduces two categories of critical products. For low-risk products, a self-assessment must be carried out. For critical ones, third parties should carry out a conformity assessment. If this is positive, the manufacturers and developers would issue an EU declaration of conformity and be able to prove this with the CE mark.

Next steps

The European Parliament and the Member States in the Council will now discuss the contents following the European Comission's draft legislation. Following the adoption of the regulation, companies and Member States have two years to adapt to the new requirements. Manufacturers are to comply with their obligation to report security vulnerabilities after only one year from the date of entry of this regulation into force.