The European Commission (the “Commission”) has proposed a new ‘Cyber Resilience Act’ (the “Act”) which seeks to safeguard consumers and businesses who are buying or using hardware and software products that contain a digital element.
Why is it needed?
According to statistics published by the Commission, following an increase in successful cyberattacks on hardware and software products containing a digital element, the global annual cost associated with such cybercrime was an astounding estimated €5.5 trillion in 2021.
The Commission has identified that the major factors causing such issues are:
- low levels of cybersecurity, which is reflected by widespread vulnerabilities and a lack of security updates in order to address these vulnerabilities; and
- a notable lack of understanding by users as well as a lack of readily available information for users, both of which prevent users from choosing products with sufficient cybersecurity properties or from using these products in a secure manner.
Whilst the Commission acknowledges that there is already internal market legislation that applies to certain products which contain digital components, the majority of hardware and software products are not regulated by European Union (“EU”) legislation, at least not from the perspective of cybersecurity.
How does the new Act solve the issue?
With the implementation of the new Act, the Commission hopes to address both the inadequate level of cybersecurity in products and the inadequate security updates associated with those products.
In seeking to achieve this goal, the Commission has set four objectives for the Act which it is hoped will solve this problem:
- the Commission hope that the new Act will help to ensure that manufacturers improve the security of their products which contain digital elements throughout their design and development phase and continue to contain digital elements throughout their entire life cycle thereafter;
- secondly, it is hoped that by introducing the Act the Commission will be able to ensure a more coherent cybersecurity framework than that which is in situ currently, aiding to facilitate compliance for hardware and software producers;
- thirdly, it is expected that the Act will invoke and encourage transparency in relation to the security properties of products with digital elements across the market; and
- finally, and perhaps most importantly, the Act will seek to ensure that both businesses and consumers are able to use hardware and software products with digital elements safely and securely.
According to the Commission, in order to achieve the foregoing goals, the legislation itself will bring into force rules for the marketing of these products by creating essential requirements in relation to their design, development and production; as well as essential requirements for vulnerability handling processes which manufacturers will require to put into place in order to ensure the cybersecurity of products with digital elements during the entirety of their life cycle (including the development and manufacturing stage).
What does the Act mean for the UK?
Whilst the UK no longer finds itself as a Member State of the EU, it should still be sitting up and taking notice of the new Act. Indeed, the Act itself will not directly apply to the UK, however its existence is likely to have implications for the UK economy and businesses that operate within it. Where businesses manufacture goods in the UK to ‘place on the Market’ (that being the EU Single Market (the “Market”)), they have to comply with numerous standards and legislation, such as CE marking, product safety and various other requirements. At the outset at least, there is no reason why this same principle would not apply to those products which are ‘caught’ by the Act. As such, it is likely that the Act will have an impact on UK businesses as well.
In addition to the above considerations, the UK is also in the midst of debating its own Product Security and Telecommunications Infrastructure Bill (the “UK Bill”). According to the UK Government’s website, the emergence of the UK Bill follows extensive engagement with the National Cyber Security Centre, as well as industry stakeholders. Specifically, the product security measures detailed at Part 1 of the UK Bill will seek to:
- ensure that consumer connectable products are more secure against cyber attacks, protecting individual privacy and security;
- require manufacturers, importers and distributors to comply with security requirements relating to consumer connectable products; and
- create an enforcement regime (with both civil and criminal sanctions) aimed at preventing the existence of any insecure products in the UK market.
Whilst such a bill is yet to be enacted, it is understood and expected that the UK Bill will be the UK’s ‘equivalent’ to the Act, and thus based on what we understand of the two proposed pieces of legislation thus far, there is likely to be overlap.
Businesses looking to trade within the UK and the Market should be sure to monitor the development and enactment of both of these pieces of legislation to ensure they act and manufacture in compliance with both depending on the market in which they seek to trade.
With an act like this being the first EU-wide legislation of its kind, there will likely be a great deal of excitement (and perhaps unrest) until we see it in operation within the Market, not least from a UK perspective where we’re likely to have less foresight, understanding and guidance as to ‘what’s to come’ and crucially, how the Act may interact with the UK Bill.
Once the draft Act has been adopted, it is understood that economic operators and Member States will have two years to ensure compliance with the new requirements, from which point it is hoped that the world of hardware and software products will be significantly less prone to successful cyberattacks.
This article was co-written by Josh Grieveson, Trainee Solicitor.