Political deal on Cyber Resilience Act agreed by European Union
European Union policymakers have reached a political deal on the Cyber Resilience Act to deliver the first legislation of its kind in the world.
The Act is designed to improve the level of cybersecurity of digital products to benefit consumers and businesses across the EU by instigating proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers. Products with different levels of risk associated will have different security requirements.
The legislation will force manufacturers within 24 hours to report “any actively exploited” vulnerabilities — for which a fix hasn’t been found — to the EU’s cybersecurity agency (ENISA) as well as national Computer Incident Response Teams (CSIRTS). It will also require them to support the security of a product throughout its lifetime or for at least five years — or else face fines.
The EU Commission, Parliament and Council arranged the law’s final disposition in a so-called ‘trilogue’ meeting which settled the last political hurdles after intense discussions. The Commission has stated that “with this new Regulation, all products put on the EU market will need to be cyber secure.”
The text needs to be formally signed off by the European Parliament plenary meeting and national governments at the EU Council. Industry and governments will have three years to adapt to the new requirements, which will start applying early 2027.
Manufacturers of connected devices will no longer be able to launch products on the market if they know of significant vulnerabilities that can be hacked. Actively exploited vulnerabilities are an extremely sensitive type of cyber threat intelligence and who should handle this sensitive information was a sticking point in the negotiations.
The EU Council of Ministers moved this task from ENISA, the EU cybersecurity agency, to the national computer security incident response team (CSIRTs), that have a similar task under the revised Networks and Information Systems Directive (NIS2).
The European Parliament has decided notification will be sent simultaneously from the manufacturers to CSIRT and ENISA via a single reporting platform. However, EU countries said they should be able to restrict the information sent to ENISA on cybersecurity grounds.
The CSIRT will be able to limit the notification when the product is predominantly present in its domestic market and does not entail a risk for other EU countries. In addition, national authorities will not be obliged to disclose any information they consider necessary to protect essential security interests.
The third condition applies if the manufacturer itself sees an imminent risk in case of further dissemination and states it in the notification.
Part of a joint declaration from the EU’s main institutions will state that ENISA should be given sufficient resources to cope with the new tasks. Non-profit organisations that sell open source software on the market but reinvest all the revenues in non-for-profit activities were also excluded.
W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit www.wdenis.eu or contact:
Western Europe &/or elsewhere worldwide