The EU Commission has presented the cyber resilience Act with security requirements for all products with digital elements. The economy is catching up.
Consumers and companies in the EU should be better protected against products with inadequate IT security functions. On Thursday, the EU Commission presented its previously announced draft for a cyber resilience law. The aim is to ensure security “in the private sphere, in our companies and for all networked products”, emphasized Commission Vice President Margaritis Schinas, who is responsible for promoting the European way of life. “cybersecurity is not only an issue for industry, but for society as a whole.”
With the Cyber Resilience Act, the Brussels government institution wants to introduce basic requirements for the design, development and manufacture of products “with digital elements” such as hardware and software. Economic operators should be obliged to maintain cyber security for the entire product life cycle. This includes, for example, the requirement to introduce vulnerability management. In addition, there are regulations for market surveillance and enforcement.
also read
“We need to be able to trust that the products offered in the internal market are safe,” said Commission Vice-President Margrethe Vestager, responsible for digital affairs. Hundreds of millions of connected products are “a potential vulnerability through which cyber attacks can take place,” added Internal Market Commissioner Thierry Breton. He was referring to computers, mobile phones, household appliances, virtual helper apps, cars or toys. The Commission wants to take countermeasures with the concept of “integrated cyber security”.
Security by design
The Federal Association of Consumer Centers (vzbv) has been eagerly awaiting the initiative: the lack of an obligation on the part of manufacturers to guarantee IT security has exposed users to “unreasonable risks and dangers” in everyday digital life, explained its board member Ramona Pop. “This ranges from digital door locks, which can be hacked too easily, to baby monitors that can be spied on, to identity theft with serious financial damage for those affected.”
According to Pop, the vzbv now wants to examine to what extent the proposal is sufficient “so that only reliable and permanently secure services and digital products are permitted on the European market”. The responsibility for the safety of devices should no longer be passed on to consumers. The requirement is therefore correct to include cyber security in the development of hardware and software – with a view to the entire life cycle of the product. Self-regulation approaches had not improved the situation so far. Compliance with the requirements must therefore be certified and checked by authorized independent bodies.
The draft ordinance, which came “just at the right time”, could “make an important contribution to strengthening the security of networked devices,” acknowledged Achim Berg, President of the Bitkom digital association. “Effective protection against cybercriminals is a prerequisite for bringing the devices and technologies in the networked home to a new level of security.” Resilience to crises was “seldom as important as it is today”.
“Security by design” is legally specified with the Cyber Resilience Act, explained Berg. Updates would have to be guaranteed for the entire lifetime of a product. This creates more security for users, but also increases the bureaucratic effort for companies. These would be subject to “extensive documentation requirements”. Bitkom is therefore critical of the implementation period of 24 months after the rules come into force, which poses great challenges for many companies in view of the significantly longer development cycles.
Electronics and digital industry not yet completely satisfied
With the regulation on cyber resilience, the Commission is tackling a “necessary task”, admits the Association of the Electrical and Digital Industry ZVEI. Even if the industry is heavily burdened with this, a harmonized playing field is necessary in this area. However, the definition of critical and particularly critical products, which also include microcontrollers, industrial automation and control systems or parts of the Internet of Things used in factories, is too broad.
Due to the tightened requirements, there could be “major delays in the EU in the use of digital products and components in the future,” warned Wolfgang Weber, Chairman of the ZVEI Management Board. On the other hand, it is positive that the draft builds on established processes, for example for conformity assessment, and strengthens the role of European standardization. He also considers the planned transitional period of two years to be far too short.
Free software threat
MEP Patrick Breyer (Pirate Party) described it as overdue to finally make commercial manufacturers responsible. At first glance, the surcharge “on the one hand falls short and on the other hand goes too far”: There is no clear obligation for producers to “fix known security gaps immediately”. Commercial manufacturers would also have to be held liable for self-inflicted vulnerabilities.
On the other hand, the development of free software is threatened because the same requirements are placed on voluntary programmers as on companies, Breyer complains. The initiative is immature and needs to be revised. René Repasi, consumer policy spokesman for the European SPD, misses a clear, comprehensive “update obligation for manufacturers”. The security of connected products or software does not only have to exist when it is launched on the market, “but during the entire useful life of an article”.
(emw)