Analysis

Connected but vulnerable: the EU’s plans to ramp-up cybersecurity standards 

The upcoming International Internet Day celebrates one of the most important inventions in human history. On October 29th 1969, the first ever internet connection was made. Since then, the world has become hard to imagine without it.

It is estimated that 63% of the global population uses the internet1, with a growth user rate of 3.5% per year 2. For many, access to the net has become essential, making life without it seem almost unimaginable. And every year, the way it is used and what we use it for changes.  

Despite the many benefits, this growing exposure to the virtual world has also brought new types of risks. Digital and increasingly non digital products are subject to cyber-attacks. Just last week, a large German retail group’s IT system was hacked in Germany, France and Austria.  

“Indeed, if done right, the Cyber Resilience Act will increase transparency on products’ cybersecurity features across supply chains and will promote cyber-resilience globally”

SOPHIE MARANDON

The Cyber Resilience Act 

The current EU cybersecurity legislative framework does not cover most hardware and software products, especially non-embedded software on the web. As a result, we are unsure of the security of many digital products on the EU market. In 2021 alone, the global cost of cybercrime was EUR 5.5 trillion3.   

To tackle this growing concern, in 2021, Ursula Von der Leyen, President of the European Commission, announced plans to introduce common cybersecurity standards for digital products in the EU. This is a stepping stone in ensuring that the EU’s 2030 digital transformation targets are met.  

The European Commission presented the Cyber Resilience Act in September 2022. This is the first EU-wide legislation imposing cybersecurity standards by-design for networked ‘products with digital elements’ throughout their entire life cycle. Products with digital elements are defined as ‘any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately’.  

Requirements for networked products 

The act proposes that all these products, with a few exceptions, can only be placed on the EU market if they comply with essential cybersecurity requirements, such as being delivered without known vulnerabilities.  

Moreover, manufacturers, importers and distributors will have to follow certain mandatory procedures. For example, manufacturers will be required to monitor and address vulnerabilities during their products’ entire life cycle.  

If adopted as currently drafted, conformity assessments for products in scope will need to be undertaken by manufacturers or third parties (appointed by national authorities). The act lists a range of products considered ‘critical’ that must undergo third-party conformity assessments to comply, as these products present higher risks. 

The Commission’s proposal will now go through the legislative procedure, during which the European Parliament and Council of the EU, the EU’s co-legislators, will have their say.  

These new rules will serve to address the lack of incentives to produce cyber-secure goods in the EU and in the world. Indeed, if done right, the Cyber Resilience Act will increase transparency on products’ cybersecurity features across supply chains and will promote cyber-resilience globally.  

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/

[2] https://datareportal.com/global-digital-overview

[3] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

This is a short summary.  For the full analysis, please email [email protected], [email protected]

Written by Sophie Marandon, with contributions from Stephen Crisp.

Let's talk!  
Make your
policy impact
with FIPRA