News item | 01-12-2023 | 5:00 PM
Consumers and companies make extensive use of products that are connected to each other or to the internet, such as industrial machines, TVs, apps, printers, lamps, cameras and baby monitors. Digital products – software, hardware and components – are expected to meet extensive cybersecurity requirements and standards from 2027. Cyber-insecure devices will then no longer be permitted for sale on the EU market. Requirements include the mandatory and free provision of security updates, as long as you can expect that a product can be used.
The EU Member States and the European Parliament have reached a provisional political agreement on this. The so-called Cyber Resilience Act (CRA) is a legal extension, which the Netherlands has actively advocated, to an earlier decision to impose cybersecurity requirements on wireless communicating devices such as routers, baby monitors and smart doorbells via the Radio Equipment Directive (RED). The CRA will soon be broader than the RED and will not only apply to wirelessly connected devices, but to all hardware and software. It also focuses on tackling and reporting vulnerabilities that arise after a product has been brought onto the market.
Minister Micky Adriaansens (Economic Affairs and Climate): “Manufacturers and importers were in the physical world is already responsible for safe products. This will soon also apply to digital products. This is necessary, because digital products and systems are often an ideal gateway for internet criminals to steal data, money or as a means of hacking. We want to prevent that. The arrival of the CRA is the next step towards this. Secure digital devices work better, protect our data and ensure that we can do business digitally in confidence.”
Support term for entire product lifespan
Manufacturers must provide free security updates for the entire expected life of the product as soon as vulnerabilities are discovered. This support period must be clearly stated at the time of sale and is always at least five years. This minimum duration does not alter the main rule: for example, if the expected use of a product is eight years, support must also be provided for eight years.
Cyber security standards
Manufacturers ensure that products meet cybersecurity requirements before a product is launched on the market. This concerns, for example, requirements that products are designed safely and tested for security leaks. In many cases, security updates must also be installed automatically, stored personal and financial data must be protected and the user is offered the option to permanently delete this data.
Manufacturers must also report incidents and vulnerabilities that are exploited by malicious parties to the national authorities within 24 hours. Computer Security Incident Response Teams (CSIRT) from the government. Developers and providers of non-commercially offered so-called open-source software do not have to meet the requirements for manufacturers.
Time for implementation and support for smaller entrepreneurs
The three-year entry into force period provides sufficient time for the implementation and drawing up of technical standards that detail the cybersecurity requirements for manufacturers. There will also be facilities to support micro and small manufacturers in implementing the requirements.
The provisional EU agreement must then be submitted to the EU member states and the European Parliament for approval.