News: New EU cyber security rules

On 15 September 2022, the EU Commission presented a proposal for a new law on cyber resilience to protect consumers and businesses from products that are insufficiently secured. It is the first EU-wide legislation of its kind and introduces cybersecurity requirements throughout the lifecycle of products with digital elements.

This law was promulgated by the President Ursula von der Leyen in his State of the EU address in September 2021, building on the EU’s 2020 Cybersecurity Strategy for the Digital Age and the EU’s Security Union Strategy from the same year. The law will make digital products, such as wireless and wired products and software, safer for consumers across the EU. The law will not only force manufacturers to act more responsibly by offering security support and software updates against identified vulnerabilities, but also provide consumers with sufficient information about the cyber security of the products they buy.


(Photo © EU – 2020)

Margrethe Vestager (1968) is a Danish politician, deputy chairman and commissioner for digital media


Margaret VestagerExecutive Vice-President for a Europe fit for the digital age:We must feel safe with products we buy on the internal market. Just as a CE marking shows us that a toy or a refrigerator is reliable, the Cyber ​​​​Resilence Act will ensure that connected objects and software meet strict requirements for cyber security. The law will place responsibility where it belongs, namely with those who market the products.”
Photo Amstelveen
(Photo Etienne Ansotte © EU – 2016)

Margaritis Schinas (1962) Vice-President of the European Commission with the portfolio of EU Commissioner for the Promotion of the European Way of Life


margaritis ChinaVice-President to promote our European way of life: “The Cyber ​​​​Resilence Act is our response to modern security threats that are ubiquitous in our digital society. The EU has been the first to create a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and certification of cybersecurity products. I Today, we’re bringing the final piece of that ecosystem: a law that ensures security in our homes, in our businesses, and in every connected product. Cybersecurity is a community issue, no longer an industry issue.”
Photo Amstelveen
(Photo Jennifer Jacquemart/© EU – 2019)

Thierry Breton (1955) is EU Commissioner for the Internal Market and Services


Thierry BretonCommissioner for the Internal Market: “In terms of cyber security, Europe is only as strong as its weakest link, whether that is a vulnerable Member State or an insecure product in the supply chain. Computers, phones, home appliances, virtual assistants, cars, toys, etc., every single one of millions of products is a potential entry point for a cyber attack. And yet most hardware and software currently have no cybersecurity obligations. By introducing cyber security as standard, the Cyber ​​​​Resilence Act will help protect the European economy and our collective security.

Every 11 seconds, somewhere in the world, an organization falls victim to a ransomware attack. By 2021, cybercrime was estimated to cost €5.5 trillion annually worldwide (Joint Research Center report (2020): Cybersecurity – Our Digital Anchor, a European perspective). So it is more crucial than ever to ensure a high level of cyber security and to make digital products less vulnerable, because successful attacks often go that way. An increase in the number of smart and connected products means that a cybersecurity problem in a single product can affect the entire supply chain, seriously disrupt the economy and social life of the Single Market, and can be detrimental to security or even life-threatening.

The measures we are proposing today are based on the new legislative framework for EU product law and include:

a) rules for the marketing of products with digital elements to ensure their cyber security

b) essential requirements for the design, development and manufacture of products with digital elements and obligations for economic operators in connection with these products

c) essential requirements for the procedures followed by manufacturers to address vulnerabilities, to ensure the cyber security of products with digital elements throughout their life cycle and obligations of economic operators in relation to those procedures. Manufacturers will also be required to report actively exploited vulnerabilities and incidents;

d) market surveillance and enforcement rules.

The new rules put the responsibility back on the manufacturers to ensure that products with digital elements that are made available on the EU market meet the safety requirements. For example, the rules benefit consumers, citizens and businesses using digital products by increasing the transparency of security features and trust in products with digital elements and by better protecting fundamental rights such as privacy and data protection.

Other jurisdictions around the world are also addressing these issues, and our Cyber ​​​​Resilence Act can become an international point of reference. EU standards based on the Cyber ​​​​Resilence Act will facilitate their implementation and will be an asset for the European cybersecurity industry in global markets.

The proposed regulation will apply to all products that are directly or indirectly connected to another device or network. For some products where cyber security requirements are already included in existing EU rules, there are a number of exemptions, for example for medical devices, aerospace products and cars.

Next step. It is now up to the European Parliament and the Council to discuss the draft law on cyber resilience. Once the law is adopted, economic operators and member states will have two years to adapt to the new rules. However, the obligation for manufacturers to actively report exploited vulnerabilities and incidents comes into force one year after the effective date, as it requires fewer organizational changes than for the other new obligations. The Commission will periodically review the Cyber ​​Resilience Act and report on its operation.

Background. Cybersecurity is one of the Commission’s top priorities and a cornerstone of a digital and connected Europe. The increase in cyber attacks during the corona crisis has shown the importance of protecting hospitals, research centers and other infrastructure. There is therefore a need for a strong effort to future-proof the EU’s economy and society. Data breaches are estimated to cost at least 10 billion euros annually; malicious attempts to disrupt internet traffic estimated to be at least 65 billion EUR (impact assessment accompanying the Commission Delegated Regulation supplementing the Delegated Regulation under the Radio Equipment Directive).

The Cyber ​​Security Strategy, presented in December 2020, proposed to integrate cyber security in all parts of the supply chain and to further bring together EU activities and resources across the four cyber security communities (single market, law enforcement, diplomacy and defence). The strategy is based on the European Digital Strategy and the EU’s Security Union Strategy and builds on a number of legislative actions, measures and initiatives that the EU has introduced to strengthen cyber security capabilities and ensure a more cyber-resilient Europe.

The new Cyber ​​​​Resilence Act complements the EU’s cybersecurity framework: the Directive on the Security of Network and Information Systems in the Union (NIS Directive), the Directive on Measures for a High Common Level of Cyber ​​Security in the Union (NIS 2 Directive), recently adopted of the European Parliament and the Council, and the Cyber ​​Security Regulation.

Leave a Comment