11 small seconds, such is the frequency with which a ransomware settles on a new device, barely more time than it takes Usain Bolt to swallow a 100 m. To combat this new danger, which would cost the EU between 180 and 290 billion euros per year, the European Commission wrote the Cyber Resilience Act. As it is conceived, it will oblige manufacturers of digital and Internet-connected devices to secure each piece of equipment placed on the market. Manufacturers will be responsible for the safety of their products throughout their expected life, which is a minimum of five years. Whether it is the device itself or the software, each model marketed must be secure or risk being withdrawn from the market, or even paying an additional fine.
“Computers, phones, appliances, virtual assistive devices, cars, toys…Each of these hundreds of millions of connected products is a potential entry point for a cyberattack”, said Thierry Breton, European Commissioner for the Internal Market. According to the European Commission, cyberattacks have increased during the pandemic, while the energy crisis resulting from the Russian-Ukrainian conflict worries the authorities about the targeting of infrastructure by hackers. Moreover, even if businesses and institutions are often targeted, this will better protect any European citizen since the law “will also allow customers to be properly informed about the cybersecurity of the products they buy and use”can we read in the European Commission’s Q&A.
A screw a little too tight
This tightening of the rules seems beneficial at first sight, but proves debatable on certain points according to the experts. The Computer and Communications Industry Association (CCIA), lobby of IT companies, questions the usefulness of all these measures: “These cybersecurity rules should strive to weed out bad products from the European market, but the current proposal […] would lead to innovative products piling up in waiting rooms before they could be used by Europeans”has told AP News Alexandre Roure, director of public policy at CCIA Europe. While he welcomes the Commission’s initiative to strengthen cybersecurity, he wants more realistic measures for companies: “The new rules should recognize globally accepted standards and facilitate cooperation with trusted trading partners to avoid duplicative requirements.”
The project will now be discussed and voted on by both the European Parliament and Council. Once the text has been adopted, the economic authorities and the Member States will have two years to put it in place. The only exception is that manufacturers will only have one year to notify “Actively exploited vulnerabilities and incidents […] because it requires fewer organizational adaptations than the other new obligations”.