On 1 December, political agreement was reached between the European Parliament and the European Council on the Cyber Resilience Act. This is designed to “improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers”.

According to the European Commission, in the last year, “the number of software supply chain attacks have tripled, and every day, small businesses and critical institutions like hospitals are targeted by cyber criminals. Every 11 seconds, an organisation is hit by a ransomware attack, to the cost of an estimated €20 billion annually. And, in 2021 alone, cyber criminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, making websites and online services  inaccessible to their users”.

The new Cyber Resilience Act means that manufacturers will need to implement cybersecurity measures for hardware and software products with a digital component. These measures apply across the entire lifecycle of the products, including for several years after the products have been purchased.  Once compliant, products will be labelled with the CE marking to indicate that they can be sold in the EU.  Importers and distributors of such products will also have responsibilities under the Act to ensure that the products they place on the market are compliant.

Alongside the UK's Product Security and Telecommunications Infrastructure Act 2022 ("PTSIA") (which also provides for greater product security measures – take a peep at our article here), the new EU legislation will help address the inadequate level of cybersecurity in many products. In addition, it will enable users to make a more informed choice about the security of the products they buy. 

The Act awaits formal approval by the European Parliament and the Council. Once in force, (which we expect to be in 2024), stakeholders will have 36 months to comply with the new requirements (with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities). 

If you'd like to more about cyber-security laws, do get in touch with the team of experts here at Lewis Silkin.