EU Commission announces new EU cyber security requirements

The EU Commission is issuing new EU draft legislation on cyber resilience.

With the proposed legislation, manufacturers, importers and distributors of products with digital elements will be subject to extensive obligations.

With the proposed legislation, manufacturers, importers and distributors of products with digital elements will be subject to extensive obligations. According to the proposal, manufacturers would be obliged to check these products for vulnerabilities and to close any security gaps that are identified. The national authorities can impose severe sanctions in the event of a breach.

The main reasoning behind the law is to prevent products with digital elements from being a gateway for cyber-attacks. Furthermore, consumers should be provided with sufficient information to be able to make an informed decision when they purchase such products.

The draft regulation assigns responsibility to manufacturers to ensure that products with digital elements made available on the EU internal market comply with security requirements. In addition, the draft regulation aims to harmonize and streamline cybersecurity requirements for products with digital elements and avoid overlapping requirements that stem from different sectoral and national EU and national legislation.

The CRA is applicable to products with digital elements. Art. 2 (1) CRA specifies that these are products whose intended or foreseeable use also involves a direct or indirect, logical or physical data connection to a device or network. According to this draft, a product with digital elements is a software or hardware product and its remote data processing solution.

The texts of the Regulation can be consulted HERE.