The Cyber resilience Act: towards a new reinforcement of cybersecurity?
“Computers, phones, home appliances, virtual assistive devices, cars, toys… each of these hundreds of millions of connected products can serve as a gateway to a cyber attack. Yet today, most hardware and software products are not subject to any cybersecurity requirements.” (Thierry Breton, European Commissioner for the Internal Market)
Following the adoption of numerous regulations and directives aimed at strengthening the Union’s digital sovereignty (‘RGPD’, ‘DSA’, ‘DMA’, etc.), the European Commission is continuing its momentum by proposing the adoption of a new regulation: the ‘Cyber resilence Act’. The objective of this regulation is to impose the implementation of a “cybersecurity by design” policy for each “product with digital elements” such as certain connected toys, connected speakers, password managers or operating systems.
Manufacturers of digital products will therefore have new obligations such as documenting all cybersecurity risks, fixing all known security flaws, providing security updates for digital products sold for a minimum of 5 years and providing clear instructions for use regarding the security of these products.
Additional requirements will be imposed for digital products considered “critical” (10% of digita products)
The likely adoption of this future regulation will be beneficial for economic actors insofar as cybersecurity rules will be identical between each Member State and will bring more confidence to consumers, which is essential to develop one’s activity.
Deterrent penalties are imposed for non-compliance: fines of up to €15 million or 2.5% of turnover