Manufacturers selling in the EU may soon become responsible for the cybersecurity of a product throughout its lifecycle under proposed rules.
The European Commission has unveiled its proposals to bolster the security of hardware and software products being sold in the EU.
Published this month, the Cyber Resilience Act aims to hold manufacturers of devices that can connect to the internet responsible for cybersecurity throughout the product lifecycle.
It would also allow consumers to be properly informed about the security of the products they buy and use.
European Commission explained in a Q&A, “while manufacturers of products with digital elements sometimes face reputational damage when their products lack security, the cost of vulnerabilities is predominantly borne by professional users and consumers. This limits the incentives of manufacturers to invest in secure design and development and to provide security updates.”
The act aims to ensure that products with digital elements – anything that can connect to the internet and may be susceptible to cyberattacks – can only be available in the EU if they meet specific essential cybersecurity requirements and factor in security in the product’s design and development.
Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age, said, “just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
According to the European Commission, hardware and software products are increasingly subject to successful cyberattacks – costing the global economy an estimated €5.5trn in 2021.
Internal market commissioner, Thierry Breton, said, “when it comes to cybersecurity, Europe is only as strong as its weakest link – be it a vulnerable member state or an unsafe product along the supply chain. Hundreds of millions of connected products, from computers and smartphones to virtual assistant devices and cars, are potential entry points for cyberattacks.”
“And yet, today, most of the hardware and software products are not subject to any cybersecurity obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
The European Parliament and Council will now examine the draft act. If adopted, member states would have two years to adapt to the new requirements – with the exception of the requirement for manufacturers to report vulnerabilities, which would apply within one year.
Margaritis Schinas, vice-president for Promoting our European Way of Life, said, “the EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products.”
“Today, we are completing this ecosystem through an act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
Source: Silicon Republic