EU adopts “world first” cybersecurity legislation for manufacturers, including oil, gas industry

(WO) – The European Commission welcomed the political agreement reached Thursday night between the European Parliament and the Council on the Cyber Resilience Act, proposed by the Commission in September 2022.

The Cyber Resilience Act is the first legislation of its kind in the world. It will improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software. Products with different levels of risk associated will have different security requirements. Less than 10% of products will be subject to third-party assessments.

With this new regulation, all products put on the EU market will need to be cyber secure. This is a crucial step in the fight against the growing threat from cyber criminals and other malicious actors.

Once the Cyber Resilience Act is in place, manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. Software and hardware products will bear the CE marking to indicate that they comply with the Regulation's requirements and therefore can be sold in the EU.

The Act will also introduce a legal obligation for manufacturers to provide consumers with timely security updates for several years after the purchase. This period must reflect the time products are expected to be used.

Through these measures, the new act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.

Next steps. The agreement reached is now subject to formal approval by both the European Parliament and the Council. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.

Upon entry into force, manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, apart from a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities.

Background. The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy and was announced in the 2021 State of the European Union address as part of the plan to build a Europe fit for the Digital age. It will complement existing legislation, specifically the NIS2 Framework, adopted in 2022.

In the last year, the number of software supply chain attacks have tripled, and every day, small businesses and critical institutions like hospitals are targeted by cyber criminals. Every 11 seconds, an organisation is hit by a ransomware attack, to the cost of an estimated €20 billion annually. And, in 2021 alone, cyber criminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, making websites and online services inaccessible to their users.

Expert commentary. George McGregor, VP, Approov Mobile Security said, “Despite a lot of pushback, particularly on the 24 hour breach reporting requirements,  the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.”

“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.

“This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four-business day reporting rule. 

“This trend will continue, and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response.

David Ratner, CEO, HYAS Infosec, said, "The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility.  However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks."