The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.
The Cyber Resilience Act is the first legislation of its kind in the world. It will improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers. Products with different levels of risk associated will have different security requirements. Less than 10% of products will be subject to third-party assessments.
With this new Regulation, all products put on the EU market will need to be cyber secure. This is a crucial step in the fight against the growing threat from cyber criminals and other malicious actors.
Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation's requirements and therefore can be sold in the EU.
The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates during several years after the purchase. This period has to reflect the time products are expected to be used.
Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.
Next Steps
The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.
Background
Cybersecurity is one of the top priorities of the European Commission. We must take strong action to secure our digital products, both software and hardware.
The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, and was announced in the 2021 State of the European Union address as part of the plan to build a Europe fit for the Digital age. It will complement existing legislation, specifically the NIS2 Framework, adopted in 2022.
In the last year, the number of software supply chain attacks have tripled, and every day, small businesses and critical institutions like hospitals are targeted by cyber criminals. Every 11 seconds, an organisation is hit by a ransomware attack, to the cost of an estimated €20 billion annually. And, in 2021 alone, cyber criminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, making websites and online services inaccessible to their users.
