Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

European Commission to boost product cyber security with new set of rules


The European Commission intends to protect consumers and businesses from digital products with inadequate security features and has proposed a new Cyber Resilience Act.

The proposal contains mandatory cybersecurity requirements for products with digital elements, which manufacturers, distributors and importers would have to comply with. The new rules would help to protect both consumers and businesses against digital threats such as ransomware attacks. They would apply to all hardware and software directly or indirectly connected to another device or network. Only some products would be exempt from the new requirements, among them medical devices, aviation and cars – since cyber security standards for these products are already laid out in other EU laws.

The Act is designed to "ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU", the Commission said. It would increase manufacturers’ responsibilities by obliging them to identify vulnerabilities and provide security support and software updates and will, according to the Commission, help provide consumers with sufficient information about the cybersecurity of the products they buy.

According to the Commission, the Digital Security Act will "increase trust by consumers and business customers, and thus demand for products with digital elements, both within and outside the EU." It will also simplify the legal framework as "businesses will have to comply with one single set of cybersecurity rules across the European Union".

The proposed Cyber Resilience Act will lay down rules for placing products with digital elements on the market. It also contains requirements for designing, developing and producing those products, as well as for importing and selling them. Beyond that, the Cyber Resilience Act will also introduce "essential requirements for the vulnerability handling processes" put in place by manufacturers to ensure the cybersecurity of their products.

According to the draft new rules, manufacturers would need to undergo a process of conformity assessment to demonstrate that their products fulfil the requirements set out in the Cyber Security Act. Depending on the criticality of the product, this could be done by a self-assessment or a third-party conformity assessment.

When compliance of the product with the applicable requirements under the Cyber Security Act has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking to the product. With the CE marking, products will be able to move freely within the EU's internal market.

According to the proposal, the EU member states will be required to appoint market surveillance authorities. These authorities will be responsible for the enforcement of the Cyber Resilience Act and will get a new investigative tool: simultaneous coordinated control actions, or so-called "sweeps", orchestrated by the Commission, to verify compliance with and detect infringements of the regulation.

In cases of non-compliance, market surveillance authorities could force operators to comply with the rules. They could also prohibit or restrict the making available of a product on the market. And they could order that the product is withdrawn or recalled. Additionally, they will be able to fine non-compliant businesses.

The maximum fines proposed by the Commission vary depending on the nature of the non-compliance. The highest fine set out in the proposal is €15,000,000 or up to 2.5 % of the total worldwide annual turnover of the business for the preceding financial year. However, member states will be able to set the exact amount of the fine in national law.

The European parliament and council will now examine the draft Cyber Resilience Act, which could be adopted by the end of 2023. Most of its rules will apply two years after its adoption, with only the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents applicable after one year.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.