On September 15, 2022, the EU Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. This EU legislation introduces mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.

The EU legislation will impose:

    (a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;

    (b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;

    (c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;

    (d) rules on market surveillance and enforcement.

The proposed regulation will apply to all products that are connected either directly or indirectly to another device or network.

The European Parliament and the Council will examine the draft Cyber Resilience Act. Once adopted, the economic operators and Member States will have two years to adapt to the new requirements. However, the reporting obligation on manufacturers regarding actively exploited vulnerabilities and incidents will apply one year from the date of entry into force. Essential Cybersecurity Requirement and Vulnerability handling requirements are provided in Annex of the proposed new Cyber Resilience Act (provided as a separate document in the link below).

Please see Factsheet on the EU Cyber Resilience Act and Proposal for a Cyber Resilience Act for more information.