The new EU Cyber Resilience Law will mark a milestone by regulating cybersecurity of all digital products, focusing on improving cyber protection from the initial design phase of these products. This pioneering legislation seeks to establish stricter and more uniform standards to protect critical infrastructures and sensitive data against cyber-attacks. With the increase in cyber threats and the growing dependence on technology, the Cyber Resilience Law is a fundamental step to ensure the integrity and operational continuity of digital systems in the EU.
Fines for non-compliance with the Cyber Resilience Law will range from 10 to 15 million euros or up to 2 or 2.5% of the infringing company’s annual turnover. The regulation includes a three-year adaptation period. The following are the ten key points of this new law:
1. Comprehensive Coverage
The law covers all devices connected to the network or to other devices, ensuring broad and detailed coverage.
2. Cybersecurity Standards
It establishes cybersecurity standards for the design, development, and production of digital products, with obligations for economic operators and market surveillance and enforcement standards.
3. Vulnerability Management
It imposes essential requirements for vulnerability management by manufacturers, ensuring product cybersecurity throughout its lifecycle, with the obligation to report vulnerabilities and incidents.
4. Authorities Supervision
Member States will designate a notifying authority to supervise the assessment and notification procedures of conformity assessment bodies.
5. Consumer Information
It ensures that consumers have adequate information about the cybersecurity of the products they purchase and use.
6. Security Support
It obligates manufacturers to provide security support and software updates to address identified vulnerabilities.
7. Incorporation of Requirements
It requires the incorporation of essential cybersecurity requirements at all stages of the product lifecycle, including design, development, production, delivery, and maintenance.
8. Updates and Risk Management
Manufacturers must actively report vulnerabilities and incidents, provide security updates for at least five years, and effectively manage risks.
9. Risk Documentation
It requires the documentation of all cybersecurity risks associated with the products.
10. Clear Instructions and Evaluation
It establishes that products with digital elements must have clear, understandable instructions and a conformity assessment.
A Step Forward in Digital Security
The new Cyber Resilience Law will ensure safer hardware and software in the European Union. From baby monitors to smartwatches, products and software containing a digital component are ubiquitous in our daily lives. This law aims to protect consumers and businesses that purchase or use products or software with a digital component.
Security Guarantees
The law will ensure harmonized standards when marketing products or software programs with a digital component, establish a framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, and guarantee the duty of care throughout the lifecycle of these products.
Conclusion
When the Regulation comes into force, computer programs and internet-connected products will carry the CE marking to indicate compliance with the new standards. By requiring manufacturers and retailers to prioritize cybersecurity, customers and businesses will be empowered to make better-informed decisions, confident in the cybersecurity credentials of products with the CE marking. This new regulation complements other legislation in this area and will apply to all products connected directly or indirectly to another device or network, excluding certain specified exclusions. The Cyber Resilience Law is expected to come into force in the second half of 2024, with an adaptation period until 2027.
The implementation of this law is an essential step in improving cybersecurity in Europe, protecting both consumers and businesses against growing digital threats.