The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.
The Cyber Resilience Act is the first legislation of its kind in the world. It will improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers. Products with different levels of risk associated will have different security requirements. Less than 10% of products will be subject to third-party assessments.
With this new Regulation, all products put on the EU market will need to be cyber secure. This is a crucial step in the fight against the growing threat from cyber criminals and other malicious actors.
Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation's requirements and therefore can be sold in the EU.
The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates during several years after the purchase. This period has to reflect the time products are expected to be used.
Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.
The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.
Cybersecurity is one of the top priorities of the European Commission. We must take strong action to secure our digital products, both software and hardware.
The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, and was announced in the 2021 State of the European Union address as part of the plan to build a Europe fit for the Digital age. It will complement existing legislation, specifically the NIS2 Framework, adopted in 2022.
In the last year, the number of software supply chain attacks have tripled, and every day, small businesses and critical institutions like hospitals are targeted by cyber criminals. Every 11 seconds, an organisation is hit by a ransomware attack, to the cost of an estimated €20 billion annually. And, in 2021 alone, cyber criminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, making websites and online services inaccessible to their users.
For More Information
Consumers need to feel safe with the products available on the EU market. The Cyber Resilience Act agreed today will ensure the digital products we use at home and at work comply with strong cybersecurity standards. Those that place these products on the market must be held responsible for their safety.
Věra Jourová, Vice-President for Values and Transparency - 01/12/2023
The safety of all products circulating in the EU has always been a priority and a success story. With the Cyber Resilience Act, we are filling a gap by completing the safety rules so that security by design applies to all products that reach EU consumers and users. The new rules require every interconnected product sold in the EU to be cybersecure and make sure that our businesses and homes become more secure.
Margaritis Schinas, Vice-President for Promoting our European Way of Life - 01/12/2023
I welcome the agreement reached by the Parliament and the Council on this important regulation my services tabled. This Act guarantees that digital devices within the EU embody robust cybersecurity from their conception throughout their lifecycle. This cybersecurity by design is essential for the security of both consumers and society at large.
Thierry Breton, Commissioner for Internal Market - 01/12/2023
- Publication date
- 1 December 2023
- Representation in Cyprus