Initiative to EU regulation for cyber security of digital products

The European Commission’s Directorate‑General for Communications Networks,Content and Technology, Unit for Cybersecurity and Digital Privacy Policy has taken an initiative denoted “Cyber Resilience Act”, which seeks to work in conjunction with existing legislation, like the Cybersecurity Act and the Directive on the security of Network Information Systems, to improve cybersecurity by addressing gaps in the existing regulatory framework for digital products and services.

A consultation paper has been published regarding a possible Regulation on horizontal cyber-security requirements for digital products and ancillary services. The paper aims to inform the public and stakeholders on the Commission's future legislative work so they can provide feedback on the Commission's understanding of the problem and possible solutions, and relevant information that they may have, including on possible impacts of the different options. The intended regulation would complement the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive by setting up streamlined cybersecurity requirements for a wide range of both wireless and wired digital products and non-embedded software, and would cover their whole life cycle.
When placing digital products or services on the market, vendors (e.g. hardware manufacturers, software developers, distributors and importers) often do not put in place adequate cybersecurity safeguards, and also do not systematically provide information on product security making it difficult for consumers to inform themselves and assess the security of the products and services they are using.

In addition to essential cybersecurity requirements, the initiative would place obligations on economic operators, and introduce provisions on conformity assessment, on the notification of conformity assessment bodies, and on market surveillance. In practice, essential cybersecurity requirements would translate into harmonized standards specific for the different categories of products. At this stage of reflection, the Commission has identified a number of different policy options.
The published document may be seen in full at this link: Cyber resilience act – new cybersecurity rules for digital products and ancillary services (europa.eu)