Cyber Resilience Act: MEPs back plan to boost digital products security

  • More robust cybersecurity for all products with digital elements
  • Covers everyday products, such as connected doorbells, baby monitors and Wi-Fi routers
  • Security updates should be applied automatically when technically feasible

New cyber resilience rules adopted on Wednesday will establish a uniform set of cybersecurity requirements for all digital products in the European Union.

The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about their security properties.

MEPs propose more precise definitions, feasible timelines, and a fairer distribution of responsibilities. The draft rules put products into different lists based on their criticality and the level of cybersecurity risk they pose. MEPs suggest expanding this list with such product as identity management systems software, password managers, biometric readers, smart home assistants, smart watches and private security cameras. Products should also have security updates installed automatically and separately from functionality ones, MEPs add.

They also emphasise the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.

Quote

Lead MEP Nicola Danti (Renew, IT) said: “With ever-increasing interconnection, cybersecurity needs to become a priority for industry and consumers alike. Europe’s security in the digital domain is as strong as its weakest link. Thanks to the Cyber Resilience Act, hardware and software products will be more cyber secure, vulnerabilities will get fixed and cyber threats to our citizens will be minimised.”

Next steps

MEPs on the Industry Committee backed the draft cyber resilience act with 61 votes to 1, with 10 abstentions. They also voted to open negotiations with Council with 65 votes to 2, and 5 abstentions – a decision which will have to be greenlighted by the full House in a forthcoming plenary session.

Background

New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. Consumers have fallen victim to security flaws linked to digital products such as baby monitors, robot-vacuum cleaners, Wi-Fi routers and alarm systems. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money due to product security gaps.