The European Commission welcomed the political agreement reached Thursday night between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.
The Cyber Resilience Act is the first legislation of its kind in the world. It will improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software. Products with different associated levels of risk will have different security requirements. Less than 10% of products will be subject to third-party assessments.
With this new regulation, all products on the EU market must be cyber secure. This is a crucial step in the fight against the growing threat from cyber criminals and other malicious actors.
Once the Cyber Resilience Act is in place, hardware and software manufacturers must implement cybersecurity measures across the entire product lifecycle, from the design and development to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation’s requirements and, therefore, can be sold in the EU.
The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates for several years after the purchase. This period must reflect the time products are expected to be used.
Through these measures, the new act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.
Next steps. The agreement is now subject to formal approval by the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
Upon entry into force, manufacturers, importers, and distributors of hardware and software products will have 36 months to adapt to the new requirements, apart from a more limited 21-month grace period with manufacturers’ reporting obligations for incidents and vulnerabilities.
Background. The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy and was announced in the 2021 State of the European Union address as part of the plan to build a Europe fit for the Digital age. It will complement existing legislation, specifically the NIS2 Framework, adopted in 2022.
In the last year, the number of software supply chain attacks has tripled, and every day, small businesses and critical institutions like hospitals are targeted by cybercriminals. Every 11 seconds, an organization is hit by a ransomware attack, costing an estimated €20 billion annually. And in 2021 alone, cybercriminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, making websites and online services inaccessible to their users.
Expert commentary. George McGregor, VP, Approov Mobile Security said, “Despite a lot of pushback, particularly on the 24-hour breach reporting requirements, the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.”
“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development, and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.
“This is another sign that pressure is being put on all companies and organizations worldwide to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four-business day reporting rule.
“This trend will continue, and all companies will inevitably have to increase their focus and investment on cybersecurity governance, protection and response.
David Ratner, CEO, HYAS Infosec, said, “The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility. However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward confidently in the face of a constant onslaught of new and innovative cyber attacks.”
