The aim of the Cyber Resilience Act is, the Commission says, to bolster cyber security rules to ensure that more hardware and software products are secure.

The Commission says that hardware and software products suffer from two major problems adding costs for users and society:

1. a low level of cyber security, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them; and
2. lack of understanding by users and a lack of access to information preventing users from choosing products with adequate cyber security properties or using them in a secure manner.

While existing internal market legislation applies to certain products with digital elements, most hardware and software products are currently not covered by any EU legislation tackling their cyber security. The current EU legal framework does not address the cyber security of non-embedded software, even if cyber-attacks increasingly target vulnerabilities in these products, at significant societal and economic cost.

The proposal identifies two main objectives to ensure the proper functioning of the internal market in this area:

1. create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle; and
2. create conditions allowing users to take cyber security into account when selecting and using products with digital elements.

The proposal also sets out four specific objectives:

1. ensure that manufacturers improve the security of products with digital elements from the design and development stage and throughout the whole life cycle;
2. ensure a coherent cyber security framework, facilitating compliance for hardware and software producers;
3. enhance the transparency of security properties of products with digital elements; and
4. enable businesses and consumers to use products with digital elements securely.

The new Regulation will lay down:

1. rules for the placing on the market of products with digital elements to ensure their cyber security;
2. essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
3. essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cyber security of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes; manufacturers will also have to report actively exploited vulnerabilities and incidents; and
4. rules on market surveillance and enforcement.

The Commission says that the new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. The new rules will benefit consumers, citizens and businesses using digital products by enhancing the transparency of their security properties and promoting trust in them.

The proposed Regulation will apply to all products that are connected either directly or indirectly to another device or network. There are exceptions for some products for which cyber security requirements are already set out in existing EU rules, e.g., medical devices, aviation or cars.

It is now for the European Parliament and the Council to examine the draft Cyber Resilience Act. Once adopted, economic operators and Member States will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply one year from the date of entry into force. To read the Commission’s press release in full, click here.