The European Union has taken a significant step towards fortifying its defenses against cyberattacks with the passage of the Cyber Resilience Act. Announced in September 2022, this new law strengthens the EU’s cybersecurity capabilities and places the responsibility for product security squarely on the shoulders of manufacturers. The Act applies to a broad spectrum of internet-connected devices, encompassing everything from home appliances to toys and even refrigerators. This comprehensive approach is a response to the staggering global cost of cybercrime, estimated at €5.5 trillion in 2021. The legislation aims to plug gaps in existing EU cybersecurity laws for specific sectors like medical devices and automobiles, ultimately creating a more cohesive framework.

The Cyber Resilience Act bolsters the EU’s ability to confront cyber threats through a multifaceted approach. The Act fosters enhanced cooperation between various EU organizations, enabling a more unified response. It also establishes a “cybersecurity alert system,” a pan-European infrastructure designed to detect major threats across the continent. Additionally, the legislation creates a cybersecurity emergency mechanism to improve the EU’s incident response capabilities. Notably, the Act prioritizes the protection of critical infrastructure, such as hospitals and public utilities.

Four key objectives

The Cyber Resilience Act outlines four key objectives. Firstly, it mandates manufacturers to prioritize security throughout a product’s life cycle, from the initial design phase to after-sales support. Secondly, the Act seeks to establish a clear and consistent cybersecurity framework for hardware and software producers. Thirdly, it emphasizes transparency, requiring manufacturers to be upfront about the security features of their digital products. Finally, the Act empowers businesses and consumers to make informed decisions about using these products securely.

The passage of the Cyber Resilience Act signifies another step in the EU’s ongoing effort to address cybersecurity concerns. This legislation joins a growing list of measures, including the EU Cybersecurity Act, the revised Network and Information Systems Security Directive (NIS2), and the Digital Operational Resilience Act (DORA) for the financial sector. The Cyber Resilience Act specifically targets achieving a high level of cybersecurity by imposing strict requirements on software and hardware sold within the EU. These requirements encompass the entire product lifecycle, ensuring security is prioritized from design to post-sale support for vulnerabilities and cyber incidents.