Cybersecurity to be a general requirement for digital products

On 15 September 2022, the European Commission published a proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for digital products and ancillary services, i.e. Cyber Resilience Act, CRA. The purpose of the proposal is to protect consumers, in particular, against cybersecurity risks that the increasing number of connected devices can generate.

The Act would introduce common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products, including hardware and software, and ancillary services. The requirements would cover a large number of digital products and ancillary services throughout their life cycle. Products within the scope of the regulation would include various connected consumer products and terminal devices, such as cameras, smart cards, mobile devices and network devices like routers.

Aims are to address market needs and protect consumers

The aim of the Cyber Resilience Act is to improve the cybersecurity of digital products and ancillary services, to increase the transparency of security features and to provide the consumers with more information to support their choices and decisions on purchases. The regulation also aims to improve the functioning of the internal market by harmonising the operating conditions of sellers of digital products and ancillary services and by setting safety requirements for access to the internal market.

"Digital products and services provide a lot of opportunities but, at the same time, pose information security risks. The Act very successfully puts cybersecurity in the same category as other rules of conformity. With requirements covering entire life cycles of products and services, we can better protect consumers and help them make safe purchases," says Minister of Transport and Communications Timo Harakka.

The Act would complement the current legislative framework on cybersecurity, which includes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), and the Cybersecurity Act. The Commission's proposal is a part of the new EU Cyber Security Strategy adopted in December 2020 and its objectives.

What's next?

Next the European Parliament and the Council of the EU will discuss the proposal. Once the proposal is adopted, economic operators and EU countries will have two years to adapt to the new requirements. An exception to this is the obligation of manufacturers to report on exploited vulnerabilities and incidents that would already apply one year after entry into force.

The Ministry of Transport and Communications will organise a consultation on the Cyber Resilience Act on 23 September 2022. At the event, the Commission proposal will be presented and views of stakeholders discussed. Further information on the event will be provided by Special Adviser Outi Slant.

Inquiries:

Outi Slant, Senior Specialist, tel. +358 29 535 9298, [email protected]