The European Parliament and EU member states have reached a provisional political agreement on new rules aimed at protecting digital products across the EU from cyber-attacks.
The European Commission had put forward proposals for the Cyber Resilience Act last year, describing it as “the first legislation of its kind in the world”.
Once the act is in place, manufacturers of hardware and software will have to implement cyber-security measures across the entire life-cycle of the product.
It introduces mandatory cyber-security requirements for all hardware and software, ranging from baby monitors, smart watches and computer games, to firewalls and routers.
List of devices
The rules will put products into different lists based on their importance and the level of cyber-security risk they pose. Two lists will be proposed and updated by the European Commission.
A statement from the parliament said that, during negotiations, MEPs had secured an expansion of the list of devices to cover products such as identity-management systems software, password managers, biometric readers, smart home assistants and private security cameras.
MEPs also pushed for the European Union Agency for Cybersecurity (ENISA) to be more closely involved when vulnerabilities and incidents occur.
Under the rules, the agency will be notified by the member state concerned and receive information to allow it to assess the situation. If it estimates that the risk is systemic, it will inform other member states, so that they can take the necessary steps.
“Parliament has protected supply chains, ensuring that key products, such as routers and anti-viruses, are identified as a priority for cyber-security,” said the lead MEP on the issue Nicola Danti (pictured).
“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open-source community, while keeping an ambitious European dimension,” she added.
The agreement reached is now subject to formal approval by both the European Parliament and the EU Council.