The European Commission has put forward plans for new legislation that would require mandatory cyber-security safeguards for products with digital elements, throughout their whole life-cycle.
The EU body said that the move was aimed at protecting consumers and businesses from products with inadequate security features.
Plans for the new Cyber Resilience Act were first announced last year by commission president Ursula von der Leyen.
The details announced today (15 September) would put more responsibility on manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities.
The commission said that the act would also give consumers more information about the cyber-security of the products they bought and used.
Thierry Breton (Commissioner for the Internal Market, pictured) stated that Europe was only as strong as its weakest link when it came to cyber-security.
“Computers, phones, household appliances, virtual assistance devices, cars, toys … each and every one of these hundreds of million connected products is a potential entry point for a cyber-attack,” he said, adding that most of the hardware and software products were not subject to any cyber-security obligations.
“By introducing cyber-security by design, the Cyber Resilience Act will help protect Europe's economy and our collective security,” Breton said.
The new measures will lay down:
- Rules for the placing on the market of products with digital elements to ensure their cyber-security,
- Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products,
- Essential requirements for the processes put in place by manufacturers to ensure the cyber-security of products with digital elements during the whole life-cycle,
- Manufacturers must report actively exploited vulnerabilities and incidents,
- Rules on market surveillance and enforcement.
The proposed regulation will apply to all products that are connected, either directly or indirectly, to another device or network.
There are some exceptions for products that are already covered by existing EU rules – including medical devices, aviation, and cars.
EU leaders and the European Parliament will now examine the proposals.