The European Commission has proposed a Cyber Resilience Act with security features for smart appliances and other digital products.
From toys to vehicles and laptops to fridges as well as software packages, and wired or wireless, all digital products placed on the EU market are in the sights of the new legislation, which is proposed to introduce mandatory cybersecurity requirements covering their whole lifecycle.
The proposed act is based on a ‘security by design’ approach with the burden primarily on manufacturers and requires cybersecurity to be taken into account from the planning stage through design, development, production, delivery and maintenance.
All cybersecurity risks are to be documented and actively exploited vulnerabilities and incidents will have to be reported by manufacturers.
Once sold, manufacturers must ensure that vulnerabilities are handled effectively for the expected lifetime of the product or for a period of five years, and security updates to be made available for at least five years.
There also must be clear and understandable instructions for the use of the products.
“We deserve to feel safe with the products we buy in the single market,” commented Margrethe Vestager, executive vice-president for Europe Fit for the Digital Age.
“The Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
According to a fact sheet on the proposed act, the majority of products, 90%, will fall into the default category for self-assessment. Examples include photo editing and word processing software, smart speakers, hard drives, games, etc.
The remaining 10% are ‘critical’ either class I or II, the former including password managers, network interfaces and firewalls requiring application of a standard or third party assessment and the latter including operating systems and CPUs the third party assessment.
In the fact sheet the Commission points to ransomware attacks occurring every 11 seconds and to have cost an estimated €20 billion (US$19.8 billion) globally, while the total cost of all cybercrime globally is estimated at €5.5 trillion in 2021.
The proposed act now has to undergo several steps through the European Parliament and Council before being implemented, with any changes that are agreed during the process. Once implemented, member states would have two years to adapt to the requirements, although manufacturers would be required to meet the reporting obligations after one year.
More info: SMART ENERGY
0 Comments