In a bid to bolster the security of digital products like smart TVs, home cameras, connected toys, and smart fridges before they hit the market, representatives from EU member states have agreed on a shared position regarding the proposed Cyber Resilience Act. This legislation lays down broad cybersecurity requirements for products with digital components.
The State Secretary for Digitalisation and Artificial Intelligence, Carme Artigas Brugal, hailed this development as a significant milestone in advancing the EU’s commitment towards a secure digital single market. She stressed the need for IoT and other connected devices to meet basic cybersecurity standards, thereby offering effective protection for businesses and consumers against cyber threats.
This draft regulation establishes compulsory cybersecurity requirements for the design, development, and production of hardware and software products. The goal is to prevent any overlapping requirements that might arise from differing legislation in EU member states. It will apply broadly to any products that connect directly or indirectly to another device or network, with some exceptions for products already covered under existing EU rules such as medical devices, aviation, or cars.
In line with the original Commission proposal, the Council’s common position emphasizes the importance of manufacturer responsibility in ensuring product compliance with security requirements. It also highlights the need for transparency in security features of hardware and software products and sets up a market surveillance framework to enforce the rules.
However, the Council has suggested several amendments, including alterations to the reporting obligations of vulnerabilities or incidents and provisions for determining product lifetimes by manufacturers. Additional support measures for small and micro enterprises and a simplified declaration of conformity have also been proposed.
Following the agreement on the Council’s common position, the Spanish presidency will now commence negotiations with the European Parliament on the final version of the proposed legislation.
This Cyber Resilience Act marks a pivotal step in EU’s journey towards comprehensive cybersecurity. The Council had previously underscored the importance of such legislation in its conclusions on the cybersecurity of connected devices in December 2020, and the Act complements the EU’s existing cybersecurity framework, which includes the Directive on the Security of Network and Information Systems (NIS Directive) and the EU Cybersecurity Act.