In a bid to bolster the security of digital products like smart TVs, home cameras, connected toys, and smart fridges before they hit the market, representatives from EU member states have agreed on a shared position regarding the proposed Cyber Resilience Act. This legislation lays down broad cybersecurity requirements for products with digital components.
The State Secretary for Digitalisation and Artificial Intelligence, Carme Artigas Brugal, hailed this development as a significant milestone in advancing the EU’s commitment towards a secure digital single market. She stressed the need for IoT and other connected devices to meet basic cybersecurity standards, thereby offering effective protection for businesses and consumers against cyber threats.
This draft regulation establishes compulsory cybersecurity requirements for the design, development, and production of hardware and software products. The goal is to prevent any overlapping requirements that might arise from differing legislation in EU member states. It will apply broadly to any products that connect directly or indirectly to another device or network, with some exceptions for products already covered under existing EU rules such as medical devices, aviation, or cars.
In line with the original Commission proposal, the Council’s common position emphasizes the importance of manufacturer responsibility in ensuring product compliance with security requirements. It also highlights the need for transparency in security features of hardware and software products and sets up a market surveillance framework to enforce the rules.
However, the Council has suggested several amendments, including alterations to the reporting obligations of vulnerabilities or incidents and provisions for determining product lifetimes by manufacturers. Additional support measures for small and micro enterprises and a simplified declaration of conformity have also been proposed.
Following the agreement on the Council’s common position, the Spanish presidency will now commence negotiations with the European Parliament on the final version of the proposed legislation.
This Cyber Resilience Act marks a pivotal step in EU’s journey towards comprehensive cybersecurity. The Council had previously underscored the importance of such legislation in its conclusions on the cybersecurity of connected devices in December 2020, and the Act complements the EU’s existing cybersecurity framework, which includes the Directive on the Security of Network and Information Systems (NIS Directive) and the EU Cybersecurity Act.
“The European Cyber Resilience Act (CRA) is a landmark piece of regulation, put in place to rectify a number of current weaknesses in the European technology market, while better mitigating future risk through increased responsibility and transparency from software and application providers.
Software supply chain vulnerabilities have continued to make headlines in 2023, highlighting the considerable knock-on effect of a single vulnerability on potentially thousands of companies and individual citizens. These incidents exposed the need for cybersecurity standards that address the full software development life cycle (SDLC), and it is encouraging to see that these have served as a wakeup call for regulatory bodies and spurred on government action, as demonstrated in the supply chain focus of the CRA.
With member states having agreed on a common position for the regulation, this is a very strong step in the right direction and an important moment for the technology industry. It not only brings more transparency to an area that is often opaque, but also encourages software vendors, manufacturers, and retailers to increase cybersecurity for the products they sell, as well as helping buyers easily select products that are robust. Hopefully, this will incentivise organisations to go above and beyond the mandatory requirements and put security higher up the agenda. With any piece of regulation, clarity is key, so setting mandatory standards across the region is imperative to avoid the complexities of overlapping pieces of legislation across each EU member state. In today’s world, a joined up, international approach to regulation is the most effective way to drive change.”