The European Commission has suggested a new “EU Cyber Resilience Act.” The act intends to protect customers and companies who purchase or use goods and software that include a digital component.
Device manufacturers with poor cybersecurity policies and features risk paying fines if the new regulation is enacted.
What Is The Act Affecting?
By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.
The Act will introduce mandatory cybersecurity requirements for manufacturers and retailers. All items that are directly or indirectly connected to another device or network would be covered by it. It would be an addition to the laws that are currently in place, with the exception of open-source software, which is already governed by existing laws.
Therefore, the EU seeks to remove inadequate security patches for these products and software. In addition, by putting the legislation into effect, consumers and organizations won’t be able to identify items that are cybersecure.
The EU Cybersecurity Act, the Network and Information Systems (NIS) Directive, and the newly passed NIS 2 Directive (which addresses SaaS and cloud providers) are all intended to be supplemented by the CRA.
The EU plans on rating the products into two classes depending on what negative impact a cyberattack can have on them.:
- Class I – which includes security hardware and software
- Class II – IoT devices, processors, routers, operating systems, Industrial Automation & Control Systems
What’s In For The Manufacturers?
Manufacturers will have to quickly notify their consumers of actively exploited vulnerabilities and report them to ENISA, Europe’s cybersecurity regulatory body, within 24 hours of becoming aware of them.
Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cybersecurity obligations.
After its implementation, manufacturers will have 24 months at their disposal to become compliant with the new regulation. Software and connected devices will have to incorporate the CE marking, indicating their compliance with the new cybersecurity standards.
According to ZDNET, if the manufacturers fail in complying, national authorities can impose fines of up to €15 million or up to 2.5% of the company’s worldwide annual turnover for the last financial year, whichever is higher.
Additionally, importing businesses will need to make sure that the goods they sell in the EU are CRA-compliant, CE-marked, and marked with their contact information. They must keep the proof of its conformity for 10 years after selling the goods.
The CRA draft must now be examined and approved by the Council and the European Parliament.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.