European Parliament Backs Draft Cyber Resilience Act for Secure Digital Products

News

The European Union has approved the draft Cyber Resilience Act on Wednesday, taking a major step towards boosting cybersecurity for digital products.

July 21, 2023

The act, which was passed by the Industry, Research, and Energy Committee, with 61 votes in favor, one against, and 10 abstentions, intends to create consistent standards for cybersecurity across all digital products in the EU.

In particular, it seeks to enhance the security of all internet-connected devices, known as the "Internet of Things," and will cover everyday products such as connected doorbells, baby monitors, and Wi-Fi routers, with the exception of special devices already regulated such as “medical devices, aviation, or cars.”

The proposed legislation would apply to all products that are connected either directly or indirectly to another device or network, and it will aim to provide clear definitions of what digital products are and what cybersecurity measures they should have.

It should also set realistic deadlines for manufacturers to meet these measures and ensure that everyone involved in making and using digital products shares responsibility for meeting cybersecurity requirements.

“With ever-increasing interconnection, cybersecurity needs to become a priority for industry and consumers alike,” said MEP Nicola Danti. “Europe’s security in the digital domain is as strong as its weakest link. Thanks to the Cyber Resilience Act, hardware and software products will be more cyber secure, vulnerabilities will get fixed, and cyber threats to our citizens will be minimized."

Additionally, the draft rules put products into different lists based on their criticality and the level of cybersecurity risk they pose.

MEPs have suggested expanding the list of products covered by the act to include identity management systems software, password managers, biometric readers, smart home assistants, smartwatches, and private security cameras.

It was also proposed that products should have security updates installed automatically and separately from functionality ones.

Under the Cyber Resilience Act, manufacturers would be obligated to make sure that their products with digital components meet certain security standards. This would include carrying out cybersecurity risk assessments, declaring conformity to the standards, and collaborating with relevant authorities to ensure compliance.

The proposed law also seeks to empower consumers by enabling them to consider cybersecurity when selecting and using digital products. This would allow consumers to make better choices based on the security features offered by the products, which would help them safeguard their personal information and belongings from cyber risks and attacks.

As stated by Interpol, “all devices which can connect to the Internet – collectively called the ‘Internet of Things’ or IoT – are potentially at risk of a cyberattack. Everyday personal items like video cameras, refrigerators, and televisions can be used by cybercriminals for malicious means.”

Italy's investigative TV program Le Iene reported in January on alleged security vulnerabilities in cybersecurity systems and cameras.

These incidents involved individuals being unknowingly monitored in their own homes, with the footage later sold online by the perpetrators. The content of these videos was often highly sensitive and depicted individuals in intimate situations.