The Council presidency and the European Parliament’s negotiators have achieved a significant milestone with a provisional agreement on the proposed European Cyber Resilience Act. This proposed legislation, initially brought forth by the Commission in September 2022, aims to establish stringent cybersecurity requirements for products with digital elements before they enter the market. In this article, we delve into this upcoming legislation, affecting a wide range of manufacturers.
This article was written by Cem Adiyaman ([email protected]) and Sefa Gecikli ([email protected]), who both have a strong focus on law & technology within RSM Netherlands Business Consulting Services
Decoding the European Cyber Resilience Act
In today’s interconnected world, digital hardware and software products are primary targets for cyberattacks. The regulation will apply to all products that are connected either directly or indirectly to another device or to a network. Therefore, it is applicable to products with digital elements, such as connected home cameras, fridges, TVs, toys, laptops, smartphones, sensors, cameras, smart devices, and router.
The interconnected nature of these products means that a cybersecurity incident in one product can swiftly affect entire organizations or supply chains, often crossing borders within the EU's internal market in minutes. Prior to this Act, existing Union and national level initiatives only partially addressed cybersecurity issues, creating a fragmented legislative landscape within the internal market. This not only increased legal uncertainty for manufacturers and users but also imposed a burdensome compliance process.
New proposal aims to address the prevalent low level of cybersecurity in products with digital elements, evident through widespread vulnerabilities and inconsistent security updates. Also the lack of understanding and accessible information for users is another main concern, inhibiting their ability to choose or use products securely.
In this respect, the regulation introduces EU-wide cybersecurity requirements across the design, development, production, and market placement of hardware and software products. The focus is on ensuring that Internet of Things (IoT) products and others with digital components are secure throughout their supply chain and lifecycle.
Key Obligations
- The regulation will apply to all connected products, with certain exceptions where existing EU rules already set cybersecurity standards.
- Manufacturers are obliged to consider security throughout a product’s life cycle, with a default support period of at least five years, unless a shorter usage period is anticipated.
- Reporting obligations for exploited vulnerabilities and incidents are outlined, with national authorities and the EU agency for cybersecurity (ENISA) playing pivotal roles.
- Small and micro enterprises will receive additional support, including training and help with testing and conformity assessment procedures.
Next Steps
In December 2023, political agreement was reached between the European Parliament and the Council. As of now, formal approval by both these institutions is pending. Once the Act is adopted, it will become enforceable 20 days following its publication in the Official Journal. To facilitate a smooth transition, manufacturers have been granted a 36-month adaptation period. Additionally, there is a specific 21-month grace period concerning the reporting obligations for manufacturers. This timeline provides a structured framework for the implementation and compliance with the new cybersecurity regulations.
How RSM Can Assist You
As the landscape of digital law and cybersecurity regulations continues to evolve, RSM stands at the forefront, ready to guide businesses through the complexities of adapting to these new requirements. Our team, boasting a profound and specialized expertise in digital law, cybersecurity compliance, and risk management, is uniquely positioned to provide unparalleled support in this domain. We cater specifically to medium-sized enterprises and family businesses, recognizing the unique needs and regulatory landscapes of each client, both domestically and internationally.