EU Cyber Resilience Act sets global standard for connected products

The European Union’s (EU’s) proposed Cyber Resilience Act will form the nucleus of a worldwide standard for connected devices and software that will impact far beyond the bloc’s borders, including in the UK, according to security experts.

Laid out on 15 September 2022 by the European Commission (EC) – having been first announced by president Ursula von der Leyen 12 months ago, the act builds on the EU’s Cybersecurity Strategy and Security Union Strategy.

It will ensure digital products such as wireless and wired products, and the software they run, is made more secure for consumer across the EU.

In common with the UK’s Product Security and Telecommunications Infrastructure Bill – currently making its way through the House of Lords – it imposes mandatory cyber security requirements and obligations on manufacturers by obliging them to provide ongoing security support and software patches, and to provide sufficient information to consumers about the security of their products.

“We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cyber security safeguards. It will put the responsibility where it belongs, with those that place the products on the market,” said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age.

EU internal market commissioner Thierry Breton added: “When it comes to cyber security, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain.

“Computers, phones, household appliances, virtual assistance devices, cars, toys…each and every one of these hundreds of million connected products is a potential entry point for a cyber attack – and yet today most of the hardware and software products are not subject to any cyber security obligations. By introducing cyber security by design, the Cyber Resilience Act will help protect Europe's economy and our collective security.”

The EC said the new rules would rebalance security responsibility towards manufacturers who will be made to ensure they conform to the new requirements, ultimately benefiting end-users across the EU by enhancing transparency, promoting trust, and ensuring better protection of basic rights to privacy.

The EC acknowledged the act is likely to become an international point of reference beyond the EU’s internal market, and Keiron Holyome, BlackBerry vice-president for the UK and Ireland, Eastern Europe, Middle East and Africa agreed with this view.

“Today, as the EU launches its Cyber Resilience Act to protect European consumers and businesses from the risks caused by insecure digital products, the UK must sit up and take notice. This act should not be viewed as a European requirement, but in fact a new global standard,” said Holyome.

“The EU’s new act further highlights that British organisations must take action, particularly when it comes to the use of potentially insecure smart devices for home working. In fact, BlackBerry’s latest research found that only 21% of UK home workers say their employer has established a cyber security policy for the use of smart devices in the home office. As such, there is a huge opening for cyber criminals looking to target UK enterprises, with knock-on effects to employees themselves.   

“Although smart devices may seem innocent, bad actors can easily access home networks with connections to company devices – or company data on consumer devices – and steal intellectual property worth millions. Therefore, it is vital that British organisations evaluate their cyber security defences now, while introducing mandatory cyber security requirements for hardware and software products used by employees for home working.”

Rod Freeman, partner and head of the products practice at Cooley's, a law firm, said: “The proposed new rules are part of a broader regulatory intervention in cyber security in the EU.  It would mean a new and much higher level of regulatory scrutiny and accountability for manufacturers of connected products. The compliance impact on internet of things [IoT] products companies should not be underestimated.

“With product safety enforcement and consumer protection already a major focus across the EU, the Cyber Resilience Act would substantially add to the growing burden of compliance challenges and product recall risks for companies making connected products. The new rules will also likely bring yet another regulatory agency into the enforcement arena for cyber security for connected products issues, making the legal landscape much more challenging and riskier for companies in this space.”

The act will now go before the European Parliament and the Council to examine, and once adopted, Member States will have the usual two-year period to introduce the new requirements.