On 15 September, the European Commission (EC) published the Cyber Resilience Act with the intention of establishing common cybersecurity standards for connected devices, applications and services in the European Union (EU). Organisations can submit feedback on this legislation until 15 November, but what does it mean for businesses, users and suppliers?
Matteo Merialdo, Business Director, EU Cybersecurity, explains.
The EU has long taken measures to combat cybercrime and is generally more advanced than anywhere else in the world. The new Cyber Resilience Act seeks to protect consumers and the market from cyber incidents, and is the latest move along the EU’s path towards realising its digital transformation by 2030.
The new regulation includes two guidelines: one on networks and information systems (NIS), which aims to enhance Member States’ cybersecurity capabilities and promotes information sharing; and the Cybersecurity Act, which came into effect in 2021 and defined the responsibilities of the European Union Agency for Cybersecurity (ENISA).
Why is a new act required?
The Cyber Resilience Act was announced by the EC President Ursula von der Leyen during her September 2021 State of the Union address. It aims to establish standard cybersecurity regulations for digital products and associated services within the EU market. Von der Leyen emphasised the growing significance of cybersecurity and urged Europe to take cyber threats seriously and become a leader in cyber defence. The general will of the EC is to enhance Europe’s cyber defence capabilities by incorporating defence requirements into the law.
As various economic sectors have become increasingly dependent on digital technologies for business operations, the opportunities that digital connectivity provides also expose economies to cyber threats. In addition, the quantity, complexity, scope and impact of cybersecurity incidents are increasing.
When everything is interconnected, a cyberattack can impact the entire value chain, disrupting numerous economic and social activities. The Cyber Resilience Act is important because it establishes protection for digital products not previously governed by law.
What are the implications for my business?
In the regulation, it is possible to identify several essential requirements for hardware manufacturers, software developers, distributors and importers who market digital products or services in the EU. The requirements include:
- An ‘appropriate’ level of cybersecurity
- A ban on selling products with known vulnerabilities
- Security-by-default configurations
- Protection from unauthorised access
- Limitation of attack surfaces
- Minimising the impact of incidents.
Hardware and software products are increasingly vulnerable to successful cyberattacks, resulting in an estimated annual global cost of cybercrime reaching €5.5 trillion by 2021. Among the most common issues are:
- A low level of cybersecurity protection, as evidenced by widespread vulnerabilities and the inadequate and sporadic provision of security updates to address them
- A lack of understanding and access to information on the part of users, which prevents them from selecting products with adequate cybersecurity properties or employing them in a secure manner.
The Act defines two categories of critical products (Class I and Class II).
The first includes browsers, password managers, antivirus software, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers and chips utilised by NIS2-covered entities. In addition, it contains all operating systems, microprocessors and industrial Internet of Things (IoT) devices not included in Class II.
The second category includes products with a higher risk, such as desktop and mobile devices, virtualised operating systems, digital certificate issuers, general-purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use.
Among other requirements, the Act requires manufacturers to regularly test their products for vulnerabilities – a key innovation in the legislation. Member States would also be required to establish market surveillance bodies. The penalties for non-compliance will amount to several million euros or a percentage of the company’s annual revenue.
What do we do next?
The initial reaction from the market to this proposed Act has generally been positive. The Act also opens new business possibilities for cybersecurity companies. A new call for feedback on this legislation is open until 15 November.
As the consultation period for the new Act will end soon, and the rest of the legislative path may, in business terms, be relatively short, we strongly suggest that all businesses dedicate some time to consult the Act and determine if they are compliant. If not, then they should understand what steps must be taken to reach the compliance. Specialised companies like us can help bridge the gap, improving an organisation’s cybersecurity posture and, at the same time, limit the cost of compliance (or the potentially much larger cost of non-compliance).