Faced with the increase in cyber threats, in 2021 the European Commission presented the Cyber Resilience Act. This act aims to improve the cyber security of connected products sold in the EU, to better protect the consumers.
What the Cyber Resilience Act states
Under the Cyber Resilience Act, producers would be required to take measures to ensure that their products are resistant to cyber-attacks. In other words, they must develop secure hardware and software products and ensure IT security throughout the entire product life cycle.
In addition, the law proposal aims to establish a coherent IT security framework within the European Union, facilitating the compliance of hardware and software products.
Finally, it pushes manufacturers to be more transparent about the risks associated with using their products, so that consumers can make more informed choices.
Was it necessary? Of course, yes. In fact, the proposal for a regulation on the cyber security of smart products derives from some factual data:
– the general increase in cyber threats and cyber attacks, which have been growing in sophistication and frequency, and have the potential to cause serious harm to individuals, businesses, and critical infrastructure;
– the presence on the market of too many smart products with vulnerabilities that cybercriminals can exploit;
– the low awareness of consumers on cybersecurity, which derives from insufficient access to information on products that would allow them to choose wiser.
By imposing new IT security standards on manufacturers, the Act also indicates penalties for those who fail to comply. These penalties include fines but also the withdrawal of the product from the EU market. Fines vary according to the type of violation:
– 5 million euros, or up to 1% of annual turnover, if the manufacturer provides incorrect or incomplete information;
– 10 million euros, or 2% of annual sales, for less serious violations;
– 15 million euros, or 2.5% of the annual turnover, for more serious violations;
To assess the compliance of devices on the market, the European Commission can instruct individual member states or the European Union Agency for Cybersecurity (ENISA) to carry out investigations.
What does the Cyber Resilience Act apply to?
The products on which the Act falls are various: from PCs and laptops to smartphones, from wireless headphones to voice assistants, but also smart TVs, video surveillance systems, cars with autopilots, and the whole world of IoT, the Internet of Things.
There are different problem with IoT and connected products. First of all, consumer tend to use weak passwords (or the default passwords) that cybercriminals can easily compromise. However, the devices themselves often lack a secure software and hardware configuration that minimizes attacks or ensure data protection. In other words, not only do cybercriminals find their way paved, it also becomes difficult to recognize and deal with malicious actions.
The EU Cyber Resilience Act would help to ensure that producers take responsibility for the cyber security of their products. The European Commission believes that it will make a significant contribution to improving the overall level of cybersecurity in the EU, and to boosting confidence in digital products and services. In other words, it is an important step toward making Europe a safer place in the digital world.
But how can manufacturers guarantee the security of connected devices?
Any manufacturer in the world can increase the cybersecurity of their smart products by following two simple paradigms: security-by-design and security-by-default.
With security-by-design, the manufacturer designs and builds the product taking into account cybersecurity risks and solutions from the beginning. The aim is to reduce the vulnerabilities of a device and make it difficult for cybercriminals to exploit them.
On the other hand, security-by-default consists in providing consumers with products that are already safe to use, without the need to change the settings or install additional security measures. This is achieved, for example, by ensuring that the devices can only be used with verified and updated software, or by making sure that passwords are not easy to guess.
What are the next steps?
The European Commission has presented the Cyber Resilience Act to the European Parliament and the Council of the European Union. The two institutions will now have to adopt it in order for it to become law.
Once it is adopted, member states will have 18 months to transpose the directive into national law and another 6 months to apply it. This means that, if everything goes according to plan, the directive will be applicable from 2024.
Meanwhile, manufacturers will have to take the necessary measures to ensure that their products comply with the new rules.
The European Commission is also working on other initiatives to improve cybersecurity in the EU, which is considered a priority.
It is clear that the EU is taking concrete steps to make the digital world a safer place, and the Cyber Resilience Act is an important piece of legislation that will help to achieve this goal.