Experts: EU Cyber Resilience Act puts pressure on tech developers, users

The European Union’s proposed Cyber Resilience Act would force manufacturers of any internet-connected product or service to put cybersecurity at the heart of their design as they would ultimately be held responsible for ensuring they are safe to use for years after their sale.

The plans were announced as part of Commission President Ursula von der Leyen’s “State of the Union” address Sept. 15.

The rules are meant to make manufacturers of internet-connected products —including software, toys, smart phones and speakers, hard drives, and video games—provide users with updates, security alerts, and patches when vulnerabilities are discovered. The developers would also provide assurance they already have cybersecurity measures embedded when customers buy their products in the first place.

The proposal includes steep fines to ensure compliance—up to 15 million euros (U.S. $14.6 million) or 2.5 percent of a company’s annual revenues, whichever is higher.

While the proposed legislation primarily puts pressure on tech manufacturers, experts believe companies using the technologies would also have a duty of care to ensure they have opted for the most secure products available and are not putting their customers, suppliers, or users at risk.

Companies would need to review, assess, identify, and mitigate any potential flaws in the existing technologies and software they are using ahead of the rules being finalized and taking effect, as well as consider informing customers and regulators of any potential security weaknesses.

“One of the concerns the legislation is directed to is devices continue to be manufactured and offered for sale which are inherently insecure,” said Will Richmond-Coggan, a data privacy expert at law firm Freeths.

“The new regime is likely to lead businesses and consumers to look for and expect a degree of cyber resilience in the products they buy and make purchasing decisions accordingly, which will in turn drive further change.”

Will Richmond-Coggan, Director, Freeths

“Businesses or individuals that deploy such technology continue to be responsible for the security of their systems and the devices they deploy. They already have a responsibility to safeguard their systems and should never be deploying untested and insecure third-party tools on those systems,” he said. “Any such tools, if not tested before deployment, should certainly be the focus of any regular security auditing the business does or otherwise reviewed as a priority on a free-standing basis.”

In due course, Richmond-Coggan added, “The new regime is likely to lead businesses and consumers to look for and expect a degree of cyber resilience in the products they buy and make purchasing decisions accordingly, which will in turn drive further change.”

Jean-Georges Valle, vice president in the cyber risk practice at consultancy Kroll, believes companies need to take steps now to ensure compliance. He recommended businesses conduct risk assessments and penetration testing to assess which technical measures can be put in place to protect data and IT systems (such as firewalls and data encryption) and detect problems (including audit and monitoring).

“When we look at the current internet of things (IoT) market, a majority of medium- and small-size actors are purely focusing on time to market and the core functionalities of their system,” he said. “Security only comes as an afterthought, so properly identifying and defining these risks is the only way to put adequate controls in place.”

Daniel dos Santos, head of security research at cybersecurity tech vendor Forescout, said companies using IoT technology should always be vigilant about the security of products placed on their networks.

“Keeping an accurate and up-to-date asset inventory describing all the devices on a network and the software they are running is a basic cybersecurity control that allows for proper risk assessment and mitigation,” said dos Santos. “This new regulation can help organizations to identify what types of products are critical on their network and compare the proposed requirements to what the manufacturers they rely on are currently doing.”

William Dixon, global head at cybersecurity firm ISTARI, said the European Union could go further in making sure device manufacturers not only patch software issues and maintain security but also explain the importance of doing so to users so they are more inclined to take the time to download updates.

“Users should not view cybersecurity as an additional cost but rather as a source of trust in the underlying digital architecture on which we increasingly rely,” he said.

There is no timeline set yet for when the legislation might be approved by the European Parliament and European Council, which is composed of the heads of all the EU states and the Commission president. If the rule is adopted, member states will have two years to put the legislation into force, though the requirement for manufacturers to report flaws will take effect after one year of implementation.