European Commission consultation: the new Cyber Resilience Act

On 16 March 2022, the European Commission (EC) issued:

1. a call for evidence for an impact assessment, and

2. a public consultation.

in respect of a proposal for a Regulation on horizontal cybersecurity requirements for digital products and ancillary services (EU Cyber Resilience Act).

The Cyber Resilience Act is intended to set up streamlined cybersecurity requirements covering a wide range of digital products and their ancillary services, including tangible digital products (wireless and wired) and non-embedded software, and would cover their whole life cycle. The Cyber Resilience Act would also complement the recently announced Delegated Regulation under the Radio Equipment Directive (2014/53/EU).

In the context of the Cyber Resilience Act:

• 'Digital product' covers both hardware and software products, including software that can be made available without hardware (non-embedded software)
• 'Ancillary service' means a (digital) service, the absence of which would prevent the tangible product from performing its functions.
• 'Non-embedded software' means software that comes with applications that are different from the basic functionality of a digital product.

The EC considers that one of the main avenues for successful cyber attacks is the lack of appropriate security in digital products and ancillary services. According to the EX,  vendors (e.g. hardware manufacturers, software developers, distributors and importers) often do not put in place adequate cybersecurity safeguards, do not adequately respond to vulnerabilities throughout a product's lifecycle, and do not systematically provide information on product security. Reasons for this include a lack of qualified security professionals, and a lack of economic incentives.

The EC has stated that the current EU regulatory framework inadequate because it does not prescribe specific cybersecurity requirements covering the whole life cycle of a product, and does not cover all digital products, including non-embedded software.

The EU Commission is considering the following policy options:

• Maintaining the status quo.
• Introducing voluntary measures, including the further development of voluntary certification schemes under the Cybersecurity Act.
• 'Ad hoc' regulatory interventions, limited to adding or amending the cybersecurity requirements in existing legislation, and regulating new risks when they emerge.
• A horizontal regulatory intervention introducing cybersecurity requirements for a broad scope of tangible and non-tangible digital productions and ancillary associated services, including non-embedded software.
• A mixed approach, including mandatory and soft rules, with sub-options on conformity assessment procedures and a staggered approach for the cybersecurity of non-embedded software.

Both the consultation, and the call for evidence, close on 25 May 2022. The adoption of the proposal for an EU Cyber Resilience Act is planned for the third quarter of 2022.

Next steps

Manufacturers and vendors of tangible and intangible digital products and ancillary services that operate in the EU market should consider responding to the call for evidence to provide their views on:

• Current and emerging problems related to the cyber security of digital products and associated services; and
• Possible policy approaches to address such problems, the available options and their potential impacts.