The cybersecurity and cyberintelligence company S2 Grupo highlights that one of the key aspects of the new EU Cyber Resilience Law will be the implementation of the so-called ‘security by design’. This is “absolutely necessary for cyber protection” but it will “pose a challenging environment” for many companies.
In this context, S2 Grupo, specialized in cybersecurity and cyberintelligence, stated in a press release that this measure “will combat one of the big problems of most devices” that had not been designed with cybersecurity patterns in mind. According to the company’s experts, this made them vulnerable to attacks, allowing hackers to access local networks.
“In addition to the need to create cyber-secure products from the earliest design phase, companies must also take into account that non-compliance with the requirements of this law could result in fines ranging from 10 to 15 million euros or up to 2 or 2.5% of their annual turnover,” said José Rosell, co-founder, and CEO of S2 Grupo.
This regulation includes a 3-year adaptation period and according to the experts at S2 Grupo, these are the 10 key points regarding the new Cyber Resilience Law:
1. It will affect all devices connected to the network or other devices.
2. Cybersecurity rules are established for the design, development, and production of products with digital elements, obligations for economic operators, and rules on market surveillance and enforcement.
3. It sets out essential requirements for vulnerability management processes established by manufacturers to ensure the cybersecurity of digital products throughout their lifecycle. Manufacturers must report vulnerabilities and incidents.
4. Member States will designate a notifying authority that will establish the necessary procedures for assessing and notifying conformity assessment bodies and monitoring notified bodies.
5. Its main objective is to ensure that consumers have sufficient information about the cybersecurity of the products they purchase and use.
6. Manufacturers are required to provide security support and software updates to address identified vulnerabilities.
7. Manufacturers, importers, and distributors must incorporate essential cybersecurity requirements in the design, development, production, delivery, and maintenance of digital devices. They must deliver their products without ‘known’ vulnerabilities and with ‘secure’ protection by default.
8. Manufacturers must actively report vulnerabilities and incidents of their products. They must provide update support for vulnerabilities during the useful life of their products for a minimum of 5 years, managing and mitigating them effectively.
9. All cybersecurity risks must be documented.
10. Digital products must have clear and understandable instructions and must undergo a conformity assessment.
“We are in a digitalization context where all kinds of companies or organizations require specific advice on cybersecurity, not only to comply with the legislation but also to offer services and products that do not jeopardize the continuity of their businesses or the cybersecurity of their customers, understand the implications of the law in their activities, design the measures they must take to adapt correctly to the Cyber Resilience Law and implement them efficiently,” explained José Rosell.
“On the other hand, a product being secure today does not guarantee that it will remain so in the future because the continuous advancement of technological capabilities and software updates discover new vulnerabilities every day. For this reason, device assessment should be done periodically as a continuous improvement process, as an essential link in the business process,” concluded the CEO of S2 Grupo.