According to the EU, ransomware attacks affect an organisation every eleven seconds and the estimated global annual cost of cybercrime reached €5.5 trillion in 2021. With the growth in smart and connected products, a cybersecurity incident in one product can affect the entire supply chain, possibly leading to severe disruption of economic and social activities, undermining security or even becoming life-threatening.

Therefore, the European Commission has proposed a new Cyber Resilience Act. It will set out:

  • rules for the placing on the market of products with digital elements to ensure their cybersecurity;
  • essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
  • essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
  • rules on market surveillance and enforcement.

The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network. There are some exceptions for products, for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars.

The European Parliament and the Council will now consider the draft Cyber Resilience Act. Once adopted, there will be a two year period to adapt to the new requirements, except for the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply after one year. The Commission says that it will regularly review the Cyber Resilience Act and report on its functioning.

The European Consumer Organisation (BEUC) has said that the proposal needs to be improved to meet consumer needs, for example by recognising the need for independent third-party assessment of certain products that pose higher risks to consumers, such as smart home systems, which can endanger the homeowner if hacked. It also says that the proposal should also require manufacturers to continuously address security vulnerabilities by providing software updates for the product’s expected lifespan. Finally, it believes that there should also be more effective redress and compensation mechanisms for consumers who are harmed by a product not meeting cybersecurity requirements.  On the other side of the coin, the Computer & Communications Industry Association has said it creates too much red tape.

The proposal is likely to change to some extent during the legislative process, but is one for manufacturers of connected technology to keep an eye on.