Cyber Resilience Act: EU consensus on digital product security

July 26, 2023

EU member states agree on the Cyber Resilience Act, ensuring cybersecurity for digital products entering the market. Proposed regulations aim to protect consumers and create a unified digital single market.

Representatives from EU member states, known as Coreper, have achieved a significant milestone by reaching a common position on the Cyber Resilience Act. The proposed legislation aims to establish uniform cybersecurity requirements for products with digital components, such as connected home cameras, smart fridges, TVs, and toys, to ensure their safety before entering the market.

Carme Artigas Brugal, the State Secretary for Digitalisation and Artificial Intelligence, celebrated the agreement, “that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”

The draft regulation sets out mandatory cybersecurity standards for hardware and software product design, development, production, and market availability. Its scope covers all products directly or indirectly connected to other devices or networks, with some exceptions already regulated under existing EU rules, such as medical devices, aviation, and cars.

The proposal’s main objectives include:

• Eliminating overlapping requirements from different EU member states’ legislation.
• Enhancing the cybersecurity of IoT products throughout their lifecycle.
• Allowing consumers to make informed choices by considering cybersecurity features when selecting digital products.

Key elements retained from the Commission’s proposal include:

• Rules that shift compliance responsibility towards manufacturers.
• Essential requirements for vulnerability handling processes.
• Transparency measures for consumers and businesses.
• A market surveillance framework for enforcement.

While the Council’s common position maintains the proposal’s general direction, several amendments have been made. These include specifying the scope of the legislation regarding the categories of products subject to the regulation, reporting obligations for actively exploited vulnerabilities to national authorities (CSIRTs), and support measures for small and micro-enterprises.

The next step involves negotiations between the Spanish presidency and the European Parliament to finalise the proposed legislation. With this agreement, the EU is poised to make significant strides in bolstering the cybersecurity of digital products, fostering a safer and more resilient digital marketplace for all.

Categories : World Focus

Tags : Carme Artigas Brugal Cyber Security EU Products & Technology