The European Commission has announced a new Cyber Resilience Act that will significantly impact the security of connected devices sold in Europe. This new act will require manufacturers to take the necessary steps to secure these devices before shipping them to market, to promptly disclose and fix any flaws, and to guarantee that fixes will continue to be made for at least five years.
According to Thierry Breton, European Commissioner for Internal Market, “each and every one of these hundreds of million connected products is a potential entry point for a cyber attack.” The Commission is concerned about the impact that a single incident could have on the entire supply chain, including the severe disruption of economic and social activities, undermining security, or even becoming life-threatening.
The Act establishes a set of infosec requirements that must be met before a product can be sold in Europe. These requirements cover the design, development, and production of the products, as well as the ongoing support and software updates that must be provided by the manufacturer.
Once a product goes on sale, the manufacturer must disclose any incidents within 24 hours and resolve vulnerabilities through security support and software updates. Manufacturers are required to address cyber security issues for either five years or the expected lifetime of the product. This new legislation will shift the responsibility for securing connected devices towards the manufacturers.
Manufacturers will have a two-year grace period to adapt to the new requirements, with a one-year grace period for vulnerability and incident reporting. Products such as medical devices, airplanes, and cars are exempt from these regulations as they are already subject to other regulations.
Fines for non-compliance can be substantial, with the possibility of penalties of up to $15 million or 2.5% of the offender’s total worldwide annual turnover for the preceding financial year.
The European Commission sees this new legislation as having the potential to establish global standards and to become an international point of reference. This is not surprising, given that the Commission has previously led the world with the General Data Protection Regulation (GDPR) and its actions against tech giants over their business practices and use of data.
In conclusion, the Cyber Resilience Act represents a significant step forward in ensuring the security of connected devices sold in Europe. By shifting the responsibility for securing these devices towards the manufacturers and imposing substantial fines for non-compliance, the European Commission is taking a proactive approach to protecting consumers and businesses from the dangers of cyber attacks.