The European Commission has applauded the political consensus achieved on Thursday night between the European Parliament and the Council regarding the landmark Cyber Resilience Act, initially proposed by the Commission in September 2022.
This legislation introduces mandatory and proportionate cybersecurity requirements for all hardware and software, tailored to the risk levels associated with each product. Approximately less than 10% of products will undergo third-party assessments.
The regulation mandates that all products entering the EU market must meet cybersecurity standards, representing a crucial stride in the ongoing battle against cyber threats from criminals and other malicious actors.
Once enacted, manufacturers of hardware and software will be obliged to implement cybersecurity measures throughout the entire lifecycle of their products, from design and development to post-market placement. Products adhering to the regulation’s requirements will bear the CE marking, signifying their compliance and eligibility for sale within the European Union.
Furthermore, the Cyber Resilience Act imposes a legal obligation on manufacturers to deliver timely security updates to consumers for several years post-purchase, aligning with the expected product usage duration.
This legislative framework seeks to empower users by fostering transparency and responsibility among manufacturers, prompting more informed and secure choices.
In terms of procedural next steps, the agreement is pending formal approval from both the European Parliament and the Council. Once approved, the Cyber Resilience Act will become effective on the 20th day following its publication in the Official Journal.
Upon enforcement, manufacturers, importers, and distributors of hardware and software will have 36 months to align with the new requirements, with a more restricted 21-month grace period pertaining to the reporting obligations for manufacturers regarding incidents and vulnerabilities.
Rooted in the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, the Cyber Resilience Act aligns with the 2021 State of the European Union address, forming a pivotal component of the strategy to cultivate a Europe suited for the Digital Age. It complements existing legislation, notably the NIS2 Framework, adopted in 2022.
Amidst a backdrop of rising cyber threats, the Cyber Resilience Act responds to a tripling of software supply chain attacks in the past year, frequent targeting of small businesses and critical institutions, and a concerning surge in ransomware attacks, estimated to cost €20 billion annually. In 2021 alone, cybercriminals executed around 10 million distributed denial-of-service (DDoS) attacks, rendering websites and online services inaccessible.
