European Union strengthens cybersecurity rules for products sold in EU

The proposal for a cyber resilience regulation put forward by the European Commission in September 2022 is slowly moving forward. Negotiators from Parliament and the Council have just reached an informal agreement on the regulation. It strengthens cybersecurity rules to ensure greater security for products sold in the EU.

The Cyber Resilience Act is taking shape. Announced in September 2022 by the European Commission, the proposed regulation aimed at strengthening the security of hardware and software sold in the European Union has passed another milestone. "The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the Cyber Resilience Act", the Brussels-based executive said Dec. 1. The text of the law is intended to respond to the context of cyber threats that are increasingly pressuring suppliers, as well as the growing requirements for measures taken to ensure the security of products sold in the EU throughout their lifecycle, from development to sale. Under the document, IT software and hardware will be CE-marked to indicate that it meets the requirements of the regulation and can therefore be sold in Europe.

"The regulation also introduces a legal obligation for manufacturers to provide consumers with timely security updates for several years after purchase", the Commission said. This period should be consistent with the intended use of the products". Through these measures, the next regulatory framework will enable users to make more informed and safer choices, as manufacturers will have to become more transparent and accountable when it comes to the safety of their products". Unlike the NIS2 directive, which has a broader scope and targets cloud service providers as well as healthcare providers, the cyber resilience law applies to all or part of digital products sold in the single European market.

Practical implementation from 2027

The agreement reached is now subject to formal approval by the European Parliament and Council, which is expected in 2024. Once adopted, the cyber resilience law will enter into force on the 20th day after its publication in the Official Journal. Once it comes into force, manufacturers, importers and distributors of hardware and software will have three years to adapt to the requirements of the cyber resilience law. However, the deadline for reporting incidents and vulnerabilities will come a little earlier, namely within 21 months of the law's enactment.

Overall, the cyber resilience law is a positive step for cybersecurity in Europe. It will help protect users from cyber threats and improve the security of digital products sold in the EU.