On Wednesday 16 March, the European Commission opened a public consultation to continue its work on its future Cyber Resilience Act.
This initiative aims to strengthen and ensure a “consistently high level of cyber security” for digital products and ancillary services, some of which are not covered by existing legislation.
This would cover - in addition to a wider range of products concerned - the whole life cycle of these products or services and would also encourage users to choose the level of safety they want through greater transparency of technical features.
The Commission is currently putting several options on the table to raise the overall level of security. In addition to a status quo in the event that current measures are deemed sufficient, voluntary measures for product certification and non-binding guidelines could be considered.
Similarly, ad hoc regulatory interventions could be developed to complement or modify requirements already included in existing legislation in order to better address new risks.
The Commission also suggests a mix of mandatory rules and non-binding measures. This approach could include a default compliance self-assessment, with the possibility for sellers to opt for a third-party assessment. The latter would be mandatory for certain types of products.
A tiered approach could also be considered for the cyber security of non-integrated software, with non-binding measures such as guidelines or recommendations as a first step. These could “possibly” be followed by regulatory interventions, depending on the results of the application of the first measures, says the Commission.
See the consultation: https://aeur.eu/f/u2 (Original version in French by Thomas Mangin)