In recent weeks, negotiations over the Regulation on Artificial Intelligence (AI Act) filled the news that finally led a hard-won political deal. However, this is not the only legislative topic that seems to be coming to an agreement at EU level. A political agreement was reached between the European Parliament and the Council on the so-called Cyber Resilience Act.
1. What will the Cyber Resilience Act apply to?
The Cyber Resilience Act is horizontal regulation for digital products aimed at improving the level of cybersecurity of these products by imposing mandatory and proportionate cybersecurity requirements. The range of digital products can be very wide, as stated in the Commission's communication, from baby monitors and smartwatches and computer games to firewalls and routers.
Ransomware attacks are a major challenge worldwide, including in the EU. Ransomwere attacks occur every 11 seconds, causing enormous damage (some estimates for 2021 put the equivalent of up to €20 billion in damage per year). While the number of digital products on the market is growing rapidly, strengthening cybersecurity is essential to prevent and effectively address incidents and vulnerabilities.
The Cyber Resilience Act takes a risk-based approach and different requirements are set for products with different risk levels.
The regulation sets out important requirements for digital products:
- cybersecurity aspects should be taken into account throughout the whole lifecycle of the product, including the design, development, manufacturing and maintenance phases,
- cybersecurity risks must be documented,
- manufacturers shall provide information on known vulnerabilities,
- effective vulnerability management even after the products have been placed on the market (at least during the support period),
- making security updates available,
- improving transparency regarding cybersecurity,
- ensuring market surveillance frameworks (strengthening the role of ENISA, the EU's cybersecurity agency).
(More information on the expected content of the regulation is available here.)
2. When will the new legislation be applicable?
The legislative process is not yet complete with the political agreement. Discussions on the final text are still ongoing at technical level. Once the final text is ready, both Parliament and Council will have to approve the regulation, which will then be published in the Official Journal of the EU.
After entry into force (which will take place on the 20th day after publication), manufacturers will also have a grace period to prepare for the application of the regulation: after the entry into force of the legislation, manufacturers, importers and distributors of hardware and software products with digitale elements will have 36 months (i.e. 3 years) to adapt to the new requirements. The exception to this is the obligation for manufacturers to report incidents and vulnerabilities, which is subject to a grace period of 21 months.
By the adoption of the Cyber Resilience Act, the EU will probably not finish with the cybersecurity legislation, but the so-called Cyber Solidarity Act is already in the pipeline to promote a more coherent cross-border EU response to cybersecurity threats and incidents, including the creation of the European Cyber Shield, the Cyber Emergency Mechanism and the Cybersecurity Incident Review Mechanism. For the time being, negotiations between the European Parliament and the Council on the proposal have not yet started, but during the work of the parliamentary committee, proposals have already been made to amend and clarify the original draft. One important topic of the package is how to integrate the Cyber Solidarity Act into the existing cybersecurity framework and how the duplications can be avoided.
The cybersecurity topic will also feature prominently in the programme of the Belgian Presidency, which will take over the rotating EU presidency on 1 January 2024, and aims to finalise the Cyber Solidarity Act (see programme, p. 37).