NEW EU CYBER RESILIENCE ACT PROPOSAL
On 15 September, the European Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. A first ever EU-wide legislation of its kind, it introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
The Cyber Resilience Act (CRA) introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. It shall ensure that wired and wireless products that are connected to the internet and software placed on the EU market are more secure and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle. It shall also allow the customers of these products to be properly informed about the cybersecurity of the products they buy and use.
The Cyber Resilience Act shall bring significant benefits to the various stakeholders. Businesses will have to comply with one single set of cybersecurity rules across the European Union. The aim is to reduce the number of cybersecurity incidents and with this, the cost of incident handling and reputational damage for companies. As such, it would increase trust by consumers and business customers, and thus demand for products with digital elements, both within and outside the EU.
At the same time, consumers and users would enjoy more information when choosing a product with digital elements and clearer instructions about its use. As a result of fewer security risks and incidents, consumers and citizens will benefit from better protection of fundamental rights, such as data and privacy protection.
The new Cyber Resilience Act will complement the EU cybersecurity framework, consisting of the Directive on the security of Network and Information Systems (NIS Directive), the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), which was recently agreed by the European Parliament and the Council, and the EU Cybersecurity Act.
Source: European Commission