The European Commission has recently published a Cyber Resilience Act proposal for the EU, to bolster cybersecurity rules.
The European Commission announced on September 15th, 2022, the Cyber Resilience Act proposal for the EU, a set of tougher cybersecurity regulations. These rules will govern smart Internet of Things (IoT) devices, and will include heavy fines for makers and software developers who do not comply. Companies will be expected to obtain a mandatory certificate to show they are meeting basic cyber safety requirements. With hardware and software products increasingly likely to be subject to successful cyberattacks, there are two major problems adding costs for users and the society. The effect of a low level of cybersecurity, coupled with an insufficient understanding and access to information by users is expected to cost the industry trillions this year. To regulate this, the European Commission has published a draft proposal for the Cyber Resilience Act.
The draft Cyber Resilience Act will require manufacturers to report security incidents and exploited vulnerabilities.
Under the provisions of the draft Cyber Resilience Act, manufacturers will have reporting obligations in relation to actively exploited vulnerabilities and security incidents. They will be expected to inform ENISA (The European Union Agency for Cybersecurity), of “any actively exploited vulnerability” contained in the product and “any incident having [an] impact on the security” of the product. These are to be reported “within 24 hours of becoming aware of it.” In addition, manufacturers will be required to inform users of these incidents “without undue delay and after becoming aware” of them. Manufacturers will also have to inform users, “where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.”
Conformity assessment procedures for manufacturers will become commonplace with the introduction of the Cyber Resilience Act.
The draft Cyber Resilience Act will require manufacturers to carry out conformity assessment procedures, draw up technical documentation, and ensure that their products display a valid CE marking. This legislation will also cover a greater range of products which include digital elements. While the existing internal market legislation applies to certain products with digital elements, most of the current hardware and software products are currently not actually covered by any EU legislation tackling their cybersecurity. More particularly , the existing EU legal framework does not target the cybersecurity of non-embedded software, despite the fact that cybersecurity attacks have increasingly targeted vulnerabilities in these products.
The Cyber Resilience Act proposal is expected to create the conditions for a proper functioning internal market which in turn benefits consumers.
The proposal for the Cyber Resilience Act was created with specific objectives in mind. The European Commission deemed it necessary to ensure that manufacturers improve the security of their products which include digital elements from the design and development phase and for the duration of the product life cycle. The regulation will also seek to ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers, as well asenhance the transparency of security properties of products with digital elements, and
enable businesses and consumers to use products with digital elements securely. This is all in an effort to ensure the proper functioning of the internal market, ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensuring that manufacturers take security seriously throughout a product’s life cycle. This will create conditions which allow users to take cybersecurity into account in their process of selecting and using products with digital elements.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.