EU proposes new Cyber Resilience Act


BRUSSELS, Belgium -- The European Commission presented on Thursday a proposal for Cyber Resilience Act (CRA), a new European Union (EU) law aiming at guaranteeing cyber security in connected devices and software sold on the single market.

"The Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards," Margrethe Vestager, executive vice president of the European Commission for a Europe fit for the digital age, said.

"Computers, phones, household appliances, virtual assistance devices, cars, toys... each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations," European Commissioner for the Internal Market Thierry Breton explained.

Based on the principle of "security by design," the new law will address three areas of action to ensure the safety of users: cyber security will become mandatory; the manufacturer will remain responsible for their product's cyber security throughout its life cycle; and consumers will be better informed about these parameters while choosing a product with digital elements.

Producers will be able to self-assess 90 percent of their products. These include photo editing, word processing, smart speakers, hard drives and games.

The remaining 10 percent -- critical products such as password managers, firewalls, operating systems, microcontrollers and industrial firewalls --will be assessed by a third party.

The CRA will be enforced through a progressive set of measures, according to Breton. The Commission will first ask the producer to comply with the CRA, then the product will either be recalled or permanently withdrawn, and finally a fine equivalent to 2 to 5 percent of the company's global turnover will be applied.

The Commission's proposal for the CRA will now be examined by the European Parliament and the Council. If adopted, EU member states and companies will have two years to transpose the regulation into national law.