Cyber Resilience Act: agreement with Council to boost digital products’ security

On Thursday night, MEPs reached a deal with the Presidency of the Council on new cyber resilience rules to protect all digital products in the EU from cyber threats.

Parliament and Council negotiators reached an informal agreement on the Cyber Resilience Act, which aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties.

The rules will put important and critical products into different lists based on their criticality and the level of cybersecurity risk they pose. Two lists will be proposed and updated by the European Commission. During negotiations, MEPs secured an expansion of the list of covered devices with products such as identity management systems software, password managers, biometric readers, smart home assistants and private security cameras. Products should also have security updates installed automatically and separately from functionality ones.

MEPs also pushed for the European Union Agency for Cybersecurity (ENISA) to be more closely involved when vulnerabilities and incidents occur. The agency will be notified by the member state concerned and receive information so it can assess the situation and, if it estimates that the risk is systemic, will inform other member states so they are able to take the necessary steps.

To emphasise the importance of professional skills in the cybersecurity field, MEPs also managed to introduce education and training programmes, collaboration initiatives, and strategies to enhance workforce mobility.

Quote

Lead MEP Nicola Danti (Renew, IT) said: “The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent. Parliament has protected supply chains ensuring that key products such as routers and antiviruses are identified as a priority for cybersecurity. We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open-source community, while keeping an ambitious European dimension. Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”

Next steps

The agreed text will now have to be formally adopted by both Parliament and Council in order to come into law. The Industry, Research and Energy Committee will hold a vote on the file in a forthcoming meeting.

Background

New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. Consumers have fallen victim to security flaws linked to digital products such as baby monitors, robot-vacuum cleaners, Wi-Fi routers and alarm systems. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money due to product security gaps.