Cybersecurity Requirements for Connected Products – the Cyber Resilience Act Proposal

Cybersecurity is one of the European Commission’s top priorities and a cornerstone of the digital and connected Europe. An increase of cyber-attacks during the coronavirus crisis has shown how important it is to protect hospitals, research institutions and other important areas of the infrastructure.

In parallel with the EU legislative efforts within Responsible AI and the upcoming AI Act, the European Commission is now moving ahead with a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. The proposal is based on the New Legislative Framework for EU product legislation and aims to safeguard consumers and businesses buying or using products or software with a digital component. The Cyber Resilience Act would target inadequate security features with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with the protection extending throughout the product lifecycle.

In the words of Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age:
“We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

Similar to what we see within Responsible AI and the AI Act, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market. EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.