The law on the cyber resilience of digital products and components has been widely approved by the Commission of the EU Parliament and by Coreper. The expected benefits and the problems to solve.

The Cyber Resilience Act has taken a first, important step: the Commission for Industry, Research and Energy of the European Parliament has approved the draft law on IT resilience. Having obtained a broad almost bipartisan adhesion (61 votes in favour, 1 against and 10 abstentions), the deputies of the Commission also voted for the opening of negotiations with the European Council, also in this case by a very large majority, to arrive at a decision shared and approved by the entire Assembly in a forthcoming plenary session.

Member State representatives (Coreper) have also recently reached a common position on the proposed legislation regarding horizontal cybersecurity requirements for products with digital elements. The agreement reached within the Council confirms the common European will to approve as soon as possible a crucial law for the protection of digital products and, above all, consumers.

Connected video cameras, smart refrigerators, TVs but also voice assistants or toys are just some of the products concerned, whose market has a significant impact both in terms of revenues and consumers. The smart home sector alone will be worth nearly $450 billion in 2030.

Takeaway

What the Cyber ​​Resilience Act requires

The Cyber ​​Resilience Act intends to ensure that products with digital features and components are safe to use, resistant to cyber threats, and provide sufficient information about their security properties.

Why it is important to get to approve this law as soon as possible is easy to say. If IoT devices are considered, their number will increase from 14.6 billion in 2022 to 30.2 billion by 2030. Furthermore, the number of devices connected to IP networks will be more than three times the global population by 2023, he reminds the European Parliament.

Cybersecurity flaws in connected products come with a heavy bill. The European Commission, in the report “Cybersecurity, our Digital Anchor”, highlighted how ransomware attacks affect organizations and companies every 11 seconds all over the world. It is predicted that by 2031 there will be a new attack against a consumer or business every two seconds, costing victims around €251 billion a year. Added to this is that 10 terabytes of data are stolen every month, according to the latest report by the European Union Agency for Cybersecurity (ENISA) on the threat landscape in the EU.

Therefore, there is a need for a measure that can ensure that products with digital characteristics, for example telephones or toys, are safe to use, resistant to cyber threats and provide sufficient information on their security properties.

“We are experiencing an emergency in terms of cybersecurity, which has exploded in recent years”, explains Nicola Danti, deputy and rapporteur of the Cyber ​​Resilience Act for the European Parliament. «We know that the cost of cybercrime is around 5.5 trillion euros. We must therefore arrive, in the next three years when the Cyber ​​Resilience Act will fully enter into force, to count on more secure and IT resilient products, and on the other hand we will have to have a more effective emergency management system”.

Nicola Danti, MEP and rapporteur of the Cyber ​​Resilience Act for the European Parliament [credit: – EP Plenary session – Revised Industrial Strategy for Europe]

In particular, Danti emphasizes the value of the broader security update. It means that consumers will be able to see specified in the product characteristics for how long the manufacturer guarantees cyber security software updates.

Strengths of the law

What are the basic elements of the Cyber ​​Resilience Act to ensure product and consumer safety?

As specified by the European Parliament itself, the draft law intends to set more precise definitions, feasible times and a more equitable distribution of responsibilities. Products will be placed in different lists based on their criticality and the level of risk they pose in terms of cybersecurity. Among other things, MEPs suggested expanding the list with products such as software for identity management systems, password managers, biometric readers, smart assistants, “smart” watches and private security cameras. Products should also have security updates installed automatically and separately from functional ones.

«A first key element concerns the issue of updates. We must be able to count on products that are not only sold and guaranteed as cyber resilient by the production system, but also equipped with updates throughout their life cycle – specifies the rapporteur of the bill -. Another important element concerns security updates, concerning product safety: they must be able to be installed automatically, without having to go through personal consent».

What will the Cyber ​​Resilience Act be about? It will cover all connected and connectable products.

“The law will apply to products and components: for example, motherboards, microprocessors, apps and software. Then there is a list of critical products, password management software, smart cards, routers, modems that have more stringent requirements. On the latter there is a need for a third-party evaluation: in fact, the certifying bodies will verify that the standards required in these products are fully respected».

The regulatory framework in which the future law on cyber resilience fits

Cyber ​​Resilience Act will apply to all products made in the EU, but also those imported and sold in the European Union. The ambition of the European Union with this regulation, after appropriate verification with other global partners starting from the United States, is to see it extended to a global standard.

At a regulatory level, also considering the Cybersecurity Act and the Artificial Intelligence Act, CRA will be a further step in a European IT security strategy.

«Starting from NIS1 and NIS2, which consider critical infrastructures and dedicated systems, the Cybersecurity Act complies with the certification schemes and gives a permanent mandate to ENISA, as well as more resources and new tasks, ensuring the European Agency a key in establishing and maintaining the European Cybersecurity Certification Framework. It remains to be seen whether this role will also be confirmed by the European Council in the Cyber ​​Resilience Act».

Cyber ​​Resilience Act, the open question on open source

The Cyber ​​Resilience Act has received widespread approval, as mentioned, from the Industry Commission of the EU Parliament, but has also received criticism from open source software developers. They are calling for a change in the text of the law to safeguard the future of open source software. According to them, it currently makes no distinctions, does not introduce any exemptions for open source developers and merely states that the software must be secure.

«We found ourselves faced with a clear desire to guarantee the role of open source, which we believe is essential, in terms of software development and research and innovation. However, while guaranteeing protection, we also had to establish the necessary rules for the cybersecurity of the products. For this reason we have placed a clear division between what is an activity of a commercial nature and what is not: the latter area includes research activities. When an activity assumes a commercial nature, and the relative products are placed on the market and acquire a commercial value and generate wealth, it is right that they are regulated with CRA».

The European Parliament’s Committee on Industry, Research and Energy realizes that the implementation of the Cyber ​​Resilience Act will have significant impacts on the productive, industrial and commercial world. «We are aware that we are asking operators in the sector for a significant effort. For this reason we deem it appropriate to implement support measures for compliance with the law. Then there is another sensitive issue: today there are no necessary skills on the market to be able to cope with this regulation. It is therefore necessary to deal with this situation and to organize oneself adequately. I’m talking about the production system, but also about the whole institutional, research and training environment that can support this transformation».

