The European Commission will present its proposal for a Cyber Resilience Act next week (see EUROPE 12914/13). This text, announced in 2021 by the Commission during the last State of the Union speech, aims to strengthen the requirements to raise the minimum level of cyber security of all connected objects on the market.
In concrete terms, the Commission plans to use the same type of approach as for toys, in particular by imposing requirements on actors who produce and distribute connected objects, with more stringent evaluation rules and increased security guarantees.
Based on horizontal legislation that affects all sectors, the text foresees in particular “to include all computer hardware, laptops, mobile phones, networked equipment and electronic chips”, a European source detailed. A precise list should be part of the proposal.
In addition, stand-alone products, software and applications will also fall under the scope of the text. However, exceptions are made for open-source software, “as long as it is not engaged in commercial activity”, the same source added. Other exclusions would exist, depending on the standards in force, in certain specific sectors.
“You have to be sure that if an object or product is connected, it will have to meet the requirements to have the ‘CE’ mark, proving its conformity”, summarised an EU source, adding that some software already covered by the revised NIS 2 directive (see EUROPE 12992/31) would not fall within the scope of the text.
Additional assessment for 10% of products
The Commission’s approach is based on imposing minimums. Specifically, the text should ensure that products on the market are free of vulnerabilities and are designed to limit attacks, for instance by enabling updates to be installed quickly.
For 90% of the lowest risk objects, self-assessment would be the norm, before a national authority declares a product compliant. For the remaining 10%, representing more critical risks, the approach would be strengthened through an assessment by an independent entity, which would be responsible for checking that the product complies with the rules.
“We are not eliminating all risks. We want to increase the minimum levels to reduce attack capabilities”, said the same EU source.
In addition, a new element of governance has been introduced. While power remains with national supervisors, European-level governance would be proposed in exceptional cases.
For instance, in the event that a national authority has not done its job properly, or in the event that the Commission considers that a product poses a risk - even if a national authority has declared it compliant - an assessment report could be requested by the European Union Agency for Cybersecurity (ENISA).
The report concludes that the Commission would have the capacity to take certain measures through implementing acts.
These measures could range from product recalls to outright withdrawal from the European single market and fines of up to €15 million or 2.5% of a company’s worldwide turnover. (Original version in French by Thomas Mangin)