The cyber resilience law proposed by the European Commission (l Cyber resilience law) should form the cornerstone of a new cybersecurity standard for connected devices. A standard whose impact will go far beyond the borders of Europe.
Presented on 15 September 2022 – after being announced by President Ursula von der Leyen 12 months ago – this law is part of the European Union’s cybersecurity strategy (Cyber security strategy).
It imposes cybersecurity requirements and obligations on manufacturers of connected objects, in a broad sense, forcing them to provide ongoing support and software patches and to provide consumers with sufficient information about the security of their products.
“We need to be able to feel safe when we buy products within the single market,” he said for the occasion Margherita Vestager, the European Commissioner responsible for the Europe Fit for the Digital Age project. “Just as we can trust a CE-marked toy or refrigerator, the Cyber Resilience Act will ensure that the connected items and software we purchase are compliant and provide robust cybersecurity guarantees. It will put the responsibility where it should be, that is, with whoever puts the products on the market ”.
“The Cyber Resilience Act will ensure that the connected items and software we purchase are compliant and provide robust cybersecurity safeguards. ”
Margherita VestagerEuropean Commissioner responsible for the Europe Fit for the Digital Age project
“Computers, telephones, appliances, virtual assistive devices, cars, toys: these hundreds of millions of connected products are potential entry points for a cyber attack,” lists Thierry Breton, European Commissioner responsible for the internal market. “Yet, today, most products and software are not subject to any cybersecurity obligations,” he points out. “By introducing the notion of ‘cybersecurity by default’ (‘security by design’), the Cyber Resilience Act will help protect the European economy and our collective security.”
The Commission argues that the new rules will rebalance safety responsibilities by involving more producers and publishers. They will be required to ensure that they comply with the new requirements, which should increase transparency, promote trust, ensure better protection of fundamental rights to respect for privacy and influence regulations on requirements around the world, hopes Europe.
“This law should not be seen as a European requirement,” confirms Keiron Holyome, BlackBerry vice president for the UK, Ireland and EMEA. “Indeed, it will be like a new global standard.” Like the GDPR before, or / and the AI Act in the making.
“The proposed new rules are part of a broader cybersecurity regulatory initiative in the Union,” adds Rod Freeman, partner of the law firm. Cooley which has an office in Brussels. For him, this “Law” heralds a “much higher level of regulatory oversight and accountability for connected product manufacturers. The impact of compliance on companies in the Internet of Things (IoT) space is not to be underestimated.”
“Improving product safety and consumer protection are the main concerns of the European Union. The Cyber Resilience Act should add many legal constraints and increase the risk of product recall for manufacturers of related products, ”continues the lawyer. “These new rules probably also herald the creation of a regulatory agency specializing in cybersecurity of connected products, making the legal landscape much more difficult and risky for companies in this sector.”
The law proposed by the Commission will now be examined by the European Parliament at first reading, then by the Council of the European Union according to the traditional legislative procedure. As this is a regulation, once it has been voted on and validated by the two European institutions, it will be directly applicable in the Member States. But the whole procedure can take two years.
