The EU released its legislative proposal of the European Cyber Resilience Act. Hardware and software products are increasingly subject to cyberattacks, leading to an estimated annual cost of €5.5 trillion by 2021.

This regulation proposal is aimed at setting cybersecurity rules for hardware and software products that are sold in the European Union to increase their security and lower the chances of being involved in cyber incidents. Until now, hardware and/or software products were not addressed by any directive in regards of their cybersecurity unless they were embedded devices/software. As you can imagine the scope of application of this law proposal is huge and will be impacting many products in the EU market.

The proposal is 87 pages long and it is not easy to summarize everything in it. However, I will try my best to provide the most important topics about it:

• The regulation sets rules for placing on the market the products with digital elements to ensure its cybersecurity.

• Sets requirements for the design, development and production of products regarding their cybersecurity.

• Sets essential requirements for the process of vulnerability handling put in place by manufacturers to ensure the security of products with digital elements during their whole life cycle.

• Rules on market surveillance and enforcement of the previous mentioned rules and requirements.

What does all that mean and how consumers and producers may be affected?

Consumers will receive a product with the following information provided by the manufacturer:

• Where vulnerabilities can be disclosed to the manufacturer.

• The intended use of the product and the security properties it provides.

• Any foreseeable cybersecurity risk derived from a misuse.

• A software bill of materials related to the product.

• The type of technical support that can be expected from the manufacturer and until when the users can expect to receive security updates.

• Relevant information on how the user can obtain information on how to:

  • Commission the device

  • Install security updates

  • Secure decommissioning of the device

Manufacturers will have to:

• Design products that are in line with cybersecurity requirements.

• Perform a conformity assessment of their product regarding the requirements set out in this new rule. This assessment can be performed as a self-assessment or it can be provided by a notified body.

  However, special conditions apply if the product falls into the class I or II type of products, which are considered the ones with the most risk. In these cases, the manufacturer will have to opt to provide the assessment through very specific means. More information on this topic can be found in article 24.

• Provide documentation to the end user to ensure it can use the device in a secure manner.

• Have a procedure to handle vulnerability disclosures, mitigation and release of security patches.

States will have to:

• Monitor the market to ensure the rules are being followed.

I’ve summarized a huge law into few bullet points, so I am sure there are some inaccuracies, oversimplifications and some topics are not even reflected in the summary. However, I think this high level overview can provide some insight on what the EU is preparing for the near future regarding the cybersecurity of consumer and industrial products. Feel free to reach out to me to discuss any of the topics if I got them wrong!