With the Cyber ​​​​​​Resilience Act, the European Union wants to tighten the screw on cybersecurity

With the Cyber ​​​​Resilience Act, the Commission intends to impose more rules on manufacturers and publishers of connected products in terms of data security. Thus it hopes to be protected against the increase in failures of these products that have appeared in daily life since the beginning of the 2010s.

For example, the many connected surveillance cameras whose security flaws are often pointed out by security researchers and exploited by cybercriminals. Or even some connected toys whose manufacturer has been notified by the National Commission for Computing and Liberties (CNIL) in the face of the espionage risks they expose to children.

But the Cyber ​​​​Resilience Act is broad: the Commission’s proposal aims to establish common rules for all “Products with digital elements”, a broad definition ranging from hardware devices to software. Some exceptions are however provided in the text, leaving, for example, devices for the medical world or those intended for the aeronautics sector, already covered by other European regulations.

Also read: What to remember from Ursula von der Leyen’s speech in the state of the EU: creation of a public bank of hydrogen, Ukraine …

Online services are also excluded from the regulations if they are not directly linked to a product. Thus instant messaging type software and other software offered as online services will not be affected. But the Cyber ​​​​​​Resilience Act that the European Commission wants has the ambition to regulate everything: from smartphones to processors through operating systems or browsers.

As summarized by Thierry Breton, Commissioner for the Internal Market: ” Computers, phones, household appliances, virtual assistive devices, cars, toys… each of these hundreds of millions of connected products can serve as a gateway to a cyberattack. Even today, most hardware and software products are not subject to any cybersecurity requirements. By introducing cybersecurity by design, the Cyber ​​​​Resilience Act will help protect Europe’s economy and everyone’s security. »

For each product its category

The text presented by the Commission details an initial series of obligations that apply to all products thus defined, then distinguishes a second category of products considered “critical”, which represents, according to text authors, 10% of all matters concerned by regulation. In this category, itself divided into two “classes” according to their level of criticality, we find devices that play an important role in network security or those whose security flaws pose a risk for many people.

The Commission provides the list of products placed in this category, which must comply with additional requirements. In class 1, we find for example antiviruses, password managers or even VPNs. Class 2 includes operating systems for computers, smartphones and servers, connected objects and routers intended for the industrial world, as well as software necessary for managing cloud services (the “hypervisors”). The Commission reserves the right to modify the list of devices and services affected by the regulation.

For all products, the text provides for two main steps: manufacturers must consider the security of the device or software from its design, and they must not provide products with known security vulnerabilities. Other measures, such as the deployment of encryption to protect the confidentiality of the data, may be used depending on the risk assessment made by the manufacturer or the third party.

Manufacturers should not ship products with known security vulnerabilities

Among the obligations mentioned, the text seeks to clarify the documentation accompanying the products: it must be accompanied by clear information about their security, the technical support offered by the supplier or the -install security updates. The Cyber ​​​​Resilience Act also includes some provisions to ensure that manufacturers ensure the distribution of security patches for at least five years, as well as the implementation of management procedures to Vulnerability in accordance with European Commission directives.

Fines up to 15 million euros

Additional restrictions are given for products included in the “critical” category. : Unlike most of the products covered by the regulation, it must demonstrate their conformity to the existing standard or check it by a third party organization designated by each Member State. In addition, manufacturers must report new vulnerabilities discovered in these products and actively exploited by cybercriminals to the European Union Agency for Cybersecurity (Enisa) within 24 hours.

The Commission entrusted the Member States with the task of appointing market surveillance bodies, which are responsible for verifying the compliance of organizations and products with the new regulation. In the event of a violation, the text provides fines of up to 15 million euros or 2.5% of the turnover of the offending company, as well as the possibility of banning a product from being sold on European soil.

Also read Article reserved for our subscribers Brussels proposes a “European shield” against cyberattacks

The Commission’s proposal is the first step in the European legislative journey on the text. It still needs to receive the agreement of the European Parliament, as well as the Council of the European Union. The three must negotiate to agree on a final text. Therefore many details may change between the Commission’s initial proposal and the final text to be adopted. As a regulation, the text does not provide for the transposition of French law and applies in the same way to all Member States of the European Union. Once adopted, companies and Member States “have two years to adapt to the new requirements”assured the Commission.

Leave a Reply

Your email address will not be published. Required fields are marked *