The European Union adopted a new law on cybersecurity for digital products to ensure their safety before market entry. The Cyber Resilience Act addresses gaps, clarifies connections, and enhances coherence in the cybersecurity legislative framework. As the first regulation globally to set security requirements for product market entry, it mandates that from 2027, products with digital components must meet these standards to be available in the EU.
Following Thursday’s adoption, the legislative act will be signed by the Council and the European Parliament presidents and published in the EU’s official journal in the coming weeks. The new regulation will enter into force twenty days after this publication and will apply 36 months after it enters into force with some provisions to apply at an earlier stage.
The Cyber Resilience Act introduces EU-wide cybersecurity requirements for the design, development, production, and making available hardware and software products on the market, to avoid overlapping requirements stemming from different pieces of legislation in EU member states. To enhance the cybersecurity standards of digitally integrated products available in the internal market, the Act identifies that is crucial to establish goal-focused and technology-neutral essential cybersecurity requirements that apply across the board.
For example, software and hardware products will bear the CE marking to indicate that they comply with the regulation’s requirements. The letters ‘CE’ appear on many products traded on the extended single market in the European Economic Area (EEA). They signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.
The regulation will apply across products that are connected either directly or indirectly to another device or a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing EU rules. Finally, the Cyber Resilience Act will allow consumers to take cybersecurity into account when selecting and using products that contain digital elements, making it easier for them to identify hardware and software products with the proper cybersecurity features.
The move by the European Union comes as the number and variety of connected devices will rise exponentially in the coming years. Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy but also on democracy and consumer safety and health. It is, therefore, necessary to strengthen the Union’s approach to cybersecurity, address cyber resilience at the Union level, and improve the functioning of the internal market by laying down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
The Cyber Resilience Act identifies two major problems that add costs for users and society that should be addressed – a low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or securely using them.
The regulation aims to set the boundary conditions for developing secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency about the support period for products with digital elements made available on the market.
The European Union identified that various acts and initiatives taken thus far at Union and national levels only partially address the identified cybersecurity-related problems and risks, creating a legislative patchwork within the internal market, increasing legal uncertainty for both manufacturers and users of those products, and adding an unnecessary burden on businesses and organizations to comply with several requirements and obligations for similar types of products.
“The cybersecurity of those products has a particularly strong cross-border dimension, as products with digital elements manufactured in one Member State or third country are often used by organizations and consumers across the entire internal market,” the document said. “This makes it necessary to regulate the field at Union level to ensure a harmonized regulatory framework and legal certainty for users, organizations, and businesses.”
Further, the Union regulatory landscape should be harmonized by introducing horizontal cybersecurity requirements for products with digital elements. In addition, legal certainty for economic operators and users, as well as a better harmonization of the internal market and proportionality for microenterprises and small and medium-sized enterprises, creating more viable conditions for economic operators aiming to enter that market, should be ensured across the Union.
The document identifies that a secure internet is indispensable for the functioning of critical infrastructures and society as a whole. It aims at ensuring a high level of cybersecurity of services provided by essential and important entities, including digital infrastructure providers that support core functions of the open internet, ensure internet access, and provide internet services. It is therefore important that the products with digital elements necessary for digital infrastructure providers to ensure the functioning of the internet are developed securely and that they comply with well-established internet security standards.
The regulation, which applies to all connectable hardware and software products, also aims at facilitating the compliance of digital infrastructure providers with the supply chain requirements by ensuring that the products with digital elements that they use for the provision of their services are developed securely and that they have access to timely security updates for such products.
To ensure effective implementation of the regulation, member states should ensure that adequate resources are available for the appropriate staffing of the market surveillance authorities and conformity assessment bodies to perform their tasks as laid down in this regulation. Those measures should enhance workforce mobility in the cybersecurity field and their associated career pathways. They should also contribute to making the cybersecurity workforce more resilient and inclusive, also in terms of gender.
Member States should therefore take measures to ensure that those tasks are carried out by adequately trained professionals, with the necessary cybersecurity skills. Similarly, manufacturers should ensure that their staff has the necessary skills to comply with their obligations as laid down in this regulation. Member States and the Commission, in line with their prerogatives and competencies and the specific tasks conferred upon them by this regulation, should take measures to support manufacturers and in particular microenterprises and small and medium-sized enterprises, for compliance with their obligations as laid down in this Regulation.
Furthermore, member states must adopt policies promoting and developing training on cybersecurity and cybersecurity skills as part of their national cybersecurity strategies, member states may also consider, when adopting such strategies, addressing the cybersecurity skills needs resulting from this regulation, including those relating to reskilling and up-skilling.
In March, the European Union approved the new cyber resilience standards to protect all digital products in the EU from cyber threats. Already agreed with the Council last December, the regulation aims to ensure that products with digital features are secure to use, resilient against cyber threats, and provide enough information about their security properties.
The European Commission’s Joint Research Centre (JRC) and the European Union Agency for Cybersecurity (ENISA) released in April a Cyber Resilience Act Requirements Standards Mapping report that aims to align existing cybersecurity and vulnerability standardization outputs with the qualifications required for products with digital elements under the Cyber Resilience Act. The study identifies key cybersecurity standards for each CRA requirement, assesses their coverage of the intended scope, and identifies potential gaps for improvement.
This week, the Australian government rolled out a Cyber Security Legislation Package to enhance the security and resilience of Australia’s cyber environment and critical infrastructure. Subject to the passage of the ‘Cyber Security Bill 2024’ legislation this week, Australia will have its first standalone Cyber Security Act to ensure strong laws and protections through a clear legislative framework. The proposed bill prescribes minimum security standards for smart devices, ransomware reporting obligations, ‘limited use’ obligations for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and a Cyber Incident Review Board.