Today, the European Commission (EC) presented a proposal for a new Cyber Resilience Act to protect against consumer products with inadequate security features. For products that contain digital elements, this first ever EU-wide legislation introduces mandatory cybersecurity requirements for whole product lifecycle.
The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network with the only exceptions being medical devices, aviation or cars, for which cybersecurity requirements are already provided in existing EU rules.
The proposed measures include:
- rules for the placing of products with digital elements on the market to ensure their cybersecurity
- essential requirements for the design, development, and production of products with digital elements, and obligations for economic operators in relation to these products
- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes
- rules on market surveillance and enforcement
Ursula Pachl, the Deputy Director General of the European Consumer Organization BEUC, noted: “We are using more and more connected products in our lives, yet many of them do not even have the most basic cybersecurity features. The market has failed to deliver on cybersecurity, placing consumers at risk. Whether it is a connected toy which gets hacked and allows a stranger to speak to our child, or a smart home alarm that gets disabled, consumers need to be able to rely on the fact that connected products they buy are safe and secure. Today’s proposals mark a welcome break in the reality of poor cybersecurity for consumer products, but we need further improvements to make this law deliver fully for people. For example, certain consumer products, such as children's devices, smart home systems, security devices or internet routers should be classified as high risk and require certification from third parties. Manufacturers should also tackle cybersecurity vulnerabilities during a product’s expected lifespan. Consumers also need to have more effective redress mechanisms at their disposal to get fair compensation when things go wrong.”
Source: EC & BEUC
More information and BEUC press release