We would like to inform you that on July 19, 2023, the Commission on industry, research and energy of EU Parliament (ITRE) expressed a favorable opinion on the Cyber Resilience Act, a document aimed at harmonizing minimum cybersecurity requirements with regard to digital devices.
The advent of new technologies brings with it new risks and an increase in cyber-attacks using digital products (alarm systems, WI-FI routers, baby monitors etc.). Therefore, the new regulations will aim to ensure that products with digital components (e.g., telephones, toys and home cameras with Internet connection etc.), are designed, developed, manufactured and distributed in the market in compliance with certain security standards.
THE CYBER RESILIENCE ACT
The provisions of the Cyber Resilience Act include the following:
- rules aimed at rebalancing the responsibility of the producers, who must ensure compliance with European security requirements;
- the scope will cover all products connected, directly or indirectly, to another device or network. It is assumed that the only exceptions will cover products for which cybersecurity requirements are already defined in other European standards (e.g., medical devices, automobiles and aviation systems);
- the reporting of product vulnerabilities will have to be addressed to the appropriate national authorities and not to the European Union Agency for Cybersecurity (ENISA), as initially proposed by the EU Commission;
- the faculty to take legal action as a group to recover damages when buying a product that does not satisfy cybersecurity standards.
LIGHTS AND SHADOWS OF THE CYBER RESILIENCE ACT
The Cyber Resilience Act will ensure greater security of hardware and software products from a cyber perspective and the mitigation of vulnerabilities, so it should lead to a decrease in the number of cyber threats to European citizens.
However, European consumer protection organizations (BEUC) have strongly criticized the decision to transfer the jurisdiction to examine reports to national authorities: devolving the decision-making power to a third-party authority would have ensured impartiality and independence in the decision.
In addition, the open source community is calling for an update of the regulatory text to limit the scope of application of the Cyber Resilience Act with respect to open source software: the Cyber Resilience Act places a number of responsibilities on the software developers who offer their applications freely on the market, that could be held responsible for the distribution of source code that does not prove to be secure.
NEXT STEPS TO THE FINAL APPROVAL
To proceed with the negotiations between the Commission and the EU Council aimed at approving the final version of the regulatory text, the next step will be the approval of the text by the plenary session of the EU Parliament, which has been scheduled for September.
We remain available for any clarifications and insights.