As one of the Commission's top priorities and under both EU Cybersecurity Strategy and EU Security Union Strategy, the European Commission presented the Cyber Resilience Act. The proposal for a regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 in order to have more secure products on the EU market.
The proposal wants a more comprehensible legal framework and it sets up new cybersecurity requirements to improve transparency and ensure better protection from products with inadequate security features.
Which products are included?
All products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network, covering both hardware and software. This means that many products that consumers would typically use will be affected by this regulation.
They should be divided into two classes according to the cybersecurity risk level. The risk analysis will consider potential cybersecurity vulnerabilities' impact, functionality, and intended use in sensitive environments. The products could only be available on the market when they meet the essential cybersecurity requirements (mostly to be specified).
Who is responsible?
All economic operators - manufacturers, importers and distributors - adequately for their role and responsibilities in the supply chain.
What are they responsible for?
Economic operators should report actively exploited vulnerabilities and incidents, effectively handle vulnerabilities, and give the customers sufficient information about cybersecurity. They remain responsible for the cybersecurity of the products throughout their whole lifecycle. Also, they should have a statement or a certification – depending on the “criticality” of the operators – to demonstrate conformity with the essential requirements.
Next steps
The Cyber Resilience Act sets the guidelines to ensure its proper and uniform application through market surveillance and enforcement. It is now for the European Parliament and the Council to examine the draft. Once adopted, economic operators and the Member States will have two years to implement. We will pay close attention to those developments toward a more coherent regulatory framework for secure and reliable digital products.
Comentarios