top of page

Users and tech developers are under pressure from the EU Cyber Resilience Act.

The European Commission intends to put into effect stringent new regulations that would hold technology manufacturers liable for the cybersecurity of their devices throughout the course of their life cycles.

By being ultimately accountable for ensuring that they are safe to use for years after their sale, producers of any internet-connected device or service would be required to place cybersecurity at the center of their design under the European Union's proposed Cyber Resilience Act.

On September 15, Commission President Ursula von der Leyen announced the plans at the "State of the Union" address.

The regulations are designed to compel producers of internet-connected goods, such as software, toys, smart speakers, hard drives, video games, and software, to send consumers updates, security alerts, and patches when vulnerabilities are found. When clients initially purchase their goods, the developers would reassure them that cybersecurity safeguards are already included in.

Up to 15 million euros ($14.6 million), or 2.5 percent of a company's yearly revenues, whichever is bigger, are included in the proposal's harsh sanctions to guarantee compliance.

While experts agree that organizations employing the technologies would also have a duty of care to make sure they have chosen the most secure goods available and are not endangering their customers, suppliers, or users, the proposed legislation largely places pressure on technology producers.

Prior to the rules being finalized and going into effect, companies would need to review, assess, identify, and mitigate any potential flaws in the technologies and software they are currently using. They would also need to think about notifying customers and regulators of any potential security weaknesses.

According to Will Richmond-Coggan, a data privacy specialist with the legal firm Freeths, "one of the concerns the legislation is directed to is devices continue to be manufactured and offered for sale which are inherently insecure."

"Businesses or individuals that deploy such technology continue to be responsible for the security of their systems and the devices they deploy. They already have a responsibility to safeguard their systems and should never be deploying untested and insecure third-party tools on those systems ," the expert added. "Any such tools, if not tested before deployment, should certainly be the focus of any regular security auditing the business does or otherwise reviewed as a priority on a free-standing basis."

Soon, the new system "is likely to lead businesses and consumers to look for and expect a degree of cyber resilience in the products they buy and make purchasing decisions accordingly, which will in turn drive further change," Richmond-Coggan continued. 

According to Jean-Georges Valle, vice president of the cyber risk group at the consulting firm Kroll, businesses must act immediately to assure compliance. He advised companies to undertake risk analyses and penetration tests to see what technological safeguards (such firewalls and data encryption) can be put in place to protect data and IT systems and identify issues (including audit and monitoring).

"When we look at the current internet of things (IoT) market, a majority of medium- and small-size actors are purely focusing on time to market and the core functionalities of their system. Security only comes as an afterthought, so properly identifying and defining these risks is the only way to put adequate controls in place," he stated.

Companies utilizing IoT technology should constantly be attentive about the security of the goods placed on their networks, according to Daniel dos Santos, head of security research at cybersecurity technology provider Forescout.

"Keeping an accurate and up-to-date asset inventory describing all the devices on a network and the software they are running is a basic cybersecurity control that allows for proper risk assessment and mitigation. This new regulation can help organizations to identify what types of products are critical on their network and compare the proposed requirements to what the manufacturers they rely on are currently doing," said dos Santos. 

According to William Dixon, worldwide head at cybersecurity company ISTARI, the European Union should do more to ensure that device makers not only patch software bugs and maintain security but also educate consumers about the value of doing so, encouraging them to spend the time downloading updates.

"Users should not view cybersecurity as an additional cost," he added, "but rather as a source of trust in the underlying digital architecture on which we increasingly rely."

When the law could be passed by the European Parliament and European Council, which is made up of the leaders of all EU member states and the Commission president, is not yet determined. The obligation for manufacturers to report faults will go into effect after one year of implementation, but member states will have two years to put the legislation into action if the rule is enacted.



bottom of page