On September 15, Thierry Breton, Commissioner for the Internal Market, and Margaritis Schinas, Vice President in charge of promoting our European way of life, introduced the “Cyber Resilience Law”. This European proposal aims to protect consumers and businesses from unsecured connected objects through new uniform marketing standards. Thus, manufacturers will be required to comply with them when developing their products (hardware and software), as well as throughout their entire life cycle.
As Thierry Breton explained at the press conference, the number of connected devices is constantly increasing. There should be “75 billion by at least 2025” on a global scale. However, “computers, phones, home appliances, virtual assistive devices, cars, toys… each of those hundreds of millions of connected products can serve as cyberattack gateways.”
However, despite this risk, there is still no general regime obliging manufacturers to ensure the reliability of their products in terms of computer security. Hence the idea of establishing a “security by design” commitment, a doctrine that the cybersecurity aspect must be taken into account in product development.
Hardware and software
In detail, this applies to wireless and wired objects that are directly or indirectly connected to another device or network and software. On the other hand, the text does not apply to software provided as part of a service, that is, not directly related to the object, as well as to products presented in certain sectors, such as medical devices, aviation and cars, for which there are already rules.
At the procedural level, depending on the criticality of the product, manufacturers will be able to self-assess their products (low criticality) or have third-party assessments (high criticality). “For 90% of products, the manufacturer will be able to make a declaration of conformity himself,” explains the European Commissioner. We clearly wanted to assert that [les formalités]On the other hand, there are “about thirty products that are much more critical in terms of cyber risks”, such as routers, operating systems, for which compliance verification must be carried out by a third party. It has been demonstrated that manufacturers will be able to affix the CE marking to their products, indicating that they comply with the requirements of the Cyber Resilience Act and that they can freely circulate on the domestic market.
Manufacturers will also have to comply with new rules aimed at providing consumers with more accurate information and clearer instructions.
Penalties in case of non-compliance
Member States will have to designate supervisory authorities responsible for ensuring compliance with the prescribed obligations. In the event of non-compliance, they may require operators to end the non-compliance and remove the risk, prohibit or restrict the release of the product on the market, or order a withdrawal or recall of the product. They will also have the power to impose fines on violating companies.
Thus, non-compliance with safety standards can lead to a fine of up to 15 million euros, or 2.5% of the entire global annual turnover. Providing incorrect, incomplete or misleading information is punishable by a fine of up to 5 million euros if the offender is an enterprise, up to 1% of its total annual turnover in the world.
Before becoming final, the text must be approved by the European Parliament and the Council. After entry into force, economic operators and member states will have two years to adapt to the new requirements. In contrast, vendors will only have one year to fulfill their obligation to report actively exploited vulnerabilities and incidents.