The Cyber Resilience Act, designed to make connected devices more secure, is another example of Europe attempting to set the global standard

The current EU legal framework does not capture all products: On 15 September 2022, the EC launched a consultation on the Cyber Resilience Act. With the global cost of cybercrime estimated to be €5.5tn in 2021, the EC is looking to ensure that hardware and software are secure and able to withstand harmful and increasingly sophisticated cyberattacks. These products currently suffer from two main problems: 1) a low level of cybersecurity, reflected by widespread vulnerabilities and insufficient security updates; and 2) poor understanding and limited information, which prevents users from choosing products with adequate cybersecurity properties or using them in a secure way. While existing EU legislation applies to certain “products with digital elements”, most hardware and software products are not covered. Cybersecurity attacks that target their vulnerabilities can lead to significant societal and economic costs.

The response is for stronger cybersecurity rules across the EU: The Cyber Resilience Act has subsequently been designed to bolster rules in order to protect consumers and businesses from wired and wireless products with inadequate security features. A first-of-its-kind piece of legislation for the bloc, which was first signposted in the 2021 State of EU address, the act is intended to build on the 2020 EU Cybersecurity Strategy, specifically the NIS2 Framework. Its two overarching objectives aim to create conditions for the development and commercialisation of secure products with digital elements (i.e. smart devices), and to provide greater transparency to consumers regarding the security properties of the products they buy and use.

Security failures would carry the risk of financial penalties: To deliver on the act’s main objectives, the EC has proposed introducing mandatory cybersecurity requirements for products with digital elements, from the design and development phase, and throughout their whole lifecycle. The act would therefore increase responsibilities on manufacturers of mobile phones, household appliances, virtual assistant devices and more, obliging them to bring goods to the internal market with fewer vulnerabilities. Manufacturers would also have to provide security support and software updates to address any vulnerabilities that may emerge, and adhere to defined incident handling and reporting processes. As with other recent pieces of regulation where the EC is seeking to set the global standard, the Cyber Resilience Act will be backed up by the prospect of fines for security protection failures (of up to €15m or 2.5% of global turnover, whichever is higher).

Source: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act