HomeDigital Platforms & APIsWill EC's Cyber Resilience Act prove that legislation stifles innovation?

    Will EC’s Cyber Resilience Act prove that legislation stifles innovation?


    Secure by design – have we got time?

    The European Commission (EC) has presented a proposal for a new Cyber Resilience Act that will protect consumers and businesses from products with inadequate security features. It would be the first ever EU-wide legislation of its kind, mandating complete security throughout the whole lifecycle of a product. However, it would make two impositions on the EU’s technology industries: collectively they could only be as secure as the weakest link in the supply chain. For the same reason, they could only advance at the speed of the slowest mover.

    The prospect of a Cyber Resilience Act was announced by President Ursula von der Leyen in September 2021 during her State of the European Union address. It builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy and aims to ensure that anything digital, be it wireless or wired products, hardware or software, must be secure for consumers across the EU. Manufacturers must provide security support and software updates to address identified vulnerabilities and brief consumers on the cybersecurity of the products they buy and use.

    The Cyber Resilience Act will put the responsibility where it belongs, with those that place the products on the market,” said Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age.

    The EU has pioneered a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products, according to Margaritis Schinas, Vice-President for Promoting our European Way of Life. “Cybersecurity is a matter for society, no longer an industry affair,” said Schinas.

    Computers, phones and connected household appliances are not currently subject to any cyber security obligations, according to Thierry Breton, Commissioner for the Internal Market. This is the problem that the technology industry must tackle from the inception of a product. “By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security,” said Breton. 

    The new measures proposed are based on the New Legislative Framework for EU product legislation. They outline rules for going to market: essential design: basic vulnerability handling processes that must be in place and rules on market surveillance and enforcement.

    The new rules will place much more responsibility on manufacturers to ensure conformity with the security for the EU market. The Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market, said the EC in a statement. The European Parliament and the Council are to examine the draft Cyber Resilience Act. Once adopted, economic operators and Member States will have two years to adapt to the new requirements. 

    Data breaches cost the EC at least €10 billion and the annual costs of malicious attempts to disrupt traffic on the internet are estimated to be at least €65 billion, according to an impact assessment report. Ransomware cost the global economy €5.5 trillion in 2021, according to the Joint Research Centre report (2020) Cybersecurity – Our Digital Anchor, a European perspective. The EU Cybersecurity Strategy builds on the EU’s Shaping Europe’s Digital Future and the EU Security Union Strategy and leans on a number of legislative acts, actions and initiatives the EU has implemented to strengthen cybersecurity capacities and ensure a more cyber-resilient Europe.

    The new Cyber Resilience Act will complement the EU cybersecurity framework: the Directive on the security of Network and Information Systems (NIS Directive), the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), which was recently agreed by the European Parliament and the Council, and the EU Cybersecurity Act.