The European Commission issues a new Cyber Resilience Act proposal
The European Commission has proposed the Cyber Resilience Act to enforce cybersecurity requirements for products with digital aspects. The Act mandates rules for market entry, design, and vulnerability handling, obligating manufacturers to report exploits. It aims to enhance product security, increase manufacturer accountability, and inform consumers. The draft will undergo examination by the European Parliament and the Council, with a two-year adaptation period for economic operators. Reporting on vulnerabilities must start within a year of enactment. Regular reviews of the Act’s effectiveness are planned.
The European Commission has proposed a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. The Act introduces mandatory cybersecurity requirements for products with digital elements throughout their whole lifecycle. The measures proposed in the Act will formulate:
(a) Rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) Requirements for the design, development, and production of products with digital elements and obligations for economic operators concerning these products;
(c) Requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle and obligations for economic operators regarding these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
(d) Rules on market surveillance and enforcement.
The Act will ensure that digital products are more secure for consumers across the EU. It will increase manufacturers’ responsibility by obliging them to provide security support and software updates to address identified vulnerabilities. It will also give consumers sufficient information about the cybersecurity of the products they buy and use.
Next, the European Parliament and the Council will examine the draft Cyber Resilience Act. Once adopted, economic operators and the Member States will have two years to adapt to the new requirements. However, the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents would apply already one year from the date of entry into force. The Commission will regularly review the Cyber Resilience Act and report on its functioning