European Union to Strike Cybercrime
New Legislative Proposal Will Enhance Cybersecurity Across E.U.
According to the impact assessment report, the annual costs caused by malicious attempts to disrupt traffic on the Internet are estimated to be at around €65 billion.
With more and more devices being connected to the Internet and the user count constantly growing, the risks of cyberattacks grow exponentially. The introduction of the Cyber Resilience Act is meant to cover everything from computers and mobile phones to smart kitchen appliances and digital children’s toys.
The EU’s Cyber Resilience Act arrives on time to join several other pieces of legislation proposed around the world that aim to prevent cybercrime. The global economy amounted to €5.5 trillion in losses in 2021 alone, according to Cybersecurity Ventures. By 2025, cybercrime damages are expected to exceed €10 trillion.
Following a major ransomware attack in May 2021, the United States enacted a new law reinforcing cybercrime disclosure requirements for companies working in critical infrastructure sectors. The law requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations in order to facilitate a quick response in the event of cyberattacks, as well as analyze incoming reporting across sectors to spot trends, and proceed to sharing that information with network defenders to warn other potential victims.
The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society.
In addition, the US Securities and Exchange Commission and the US Congress are also pursuing new regulations to strengthen and standardize cybersecurity benchmarks and cybercrime disclosure requirements.
What Will Happen in the E.U.
The Cyber Resilience Act will introduce mandatory cybersecurity requirements for manufacturers and retailers alike. All items that are directly or indirectly connected to another device or network would be covered by it. The EU plans to rate different products as Class II or Class I, depending on what negative impacts a cyber incident can have. Class I includes a range of security hardware and software, while Class II refers to everything from operating systems to processors, routers, smart cards, IoT devices, robotic sensors, and Industrial Automation & Control Systems.
Once the CRA is adopted, software and products connected to the internet must have the CE marking displayed, to indicate they comply with the new standards. Requiring manufacturers and retailers to prioritize cybersecurity, customers and businesses would be empowered to make better-informed choices.
Furthermore, manufacturers will be required to notify their consumers of actively targeted vulnerabilities, as well as report them to ENISA, Europe’s cybersecurity regulatory body, within 24 hours of becoming aware of them.
Upon approval by the European Parliament and the European Council, EU countries will have two years to implement the new rules. Refusal or failure to comply with the CRA requirements, will result in fines of up to €15 million or up to 2.5% of the company’s worldwide annual turnover for the previous financial year.