December 2 2023

European Union Sets Tough New Rules on Cyber ​​Security: Manufacturers and Marketers Face More Liability

Strengthened regulations for manufacturers, five years of mandatory security updates, and specific support for small businesses ahead of final approval from the Eurochamber and Council

CRA

In a historic move, the European Union is preparing to adopt the first global legislation on cybersecurity. After intense negotiations, a few days ago (30 November), representatives of the European Parliament and the Council of the EU reached an agreement on the regulations proposed by the European Commission in September 2022.

These new rules will impose "proportionate and mandatory" cybersecurity requirements for all hardware and software products placed on the European single market. This spectrum includes a wide range of devices, from baby monitors to smartwatches, from computer games to firewalls and routers. Under the Cyber ​​Resilience Act, information technology manufacturers will be required to implement security measures throughout the product lifecycle, from design and development to market release. Products considered "safe" will receive the CE marking, a symbol of conformity with the requirements of the Regulation and a guarantee of saleability throughout the EU.

The goal of this legislation is twofold: to ensure that digital products used every day meet high security standards and to hold manufacturers accountable for the safety of their products.

Vera Jourova

For Vera Jourová, Vice President of the European Commission for Values ​​and Transparency, 90% of products will require self-assessment by market participants on their cyber resilience. This category includes devices that handle services such as photo editing, word processing, smart speakers, hard drives, and video game consoles. The remaining 10% will be divided into two classes of criticality: 'Class I', which includes password managers, network interfaces and firewalls, will require predefined standards or third-party assessments; while for 'Class II', which includes operating systems and industrial firewalls, an independent assessment will be necessary.

Thierry Breton, EU Commissioner for the Internal Market, highlights the crucial importance of cybersecurity not only for consumers, but for society as a whole. The number of cyberattacks on the software supply chain has tripled in the last year, with an estimated cost of around €20 billion. In 2021, approximately 10 million DDoS attacks were recorded globally.

Thierry Breton at the presentation of the Cyber ​​Resilience Act
Thierry Breton at the presentation of the Cyber ​​Resilience Act

The final version of the law, shaped during the interinstitutional trilogues, maintained the general structure of the Commission's initial proposal. The legal obligation for manufacturers to provide security updates for a period of at least five years has been confirmed. Furthermore, support measures have been included for small and micro-enterprises, including awareness-raising and training activities.

Before final adoption, the agreement will have to be ratified by the plenary session of the European Parliament and by the ministers of the 27 member countries meeting in the Council. Once passed, the Cyber ​​Resilience Act will be published in the Official Journal and the new rules will come into force three years later.

Cyber ​​Resilience Act

The Cyber ​​Resilience Act, a pioneering legislation in the field of cybersecurity, was proposed by the European Commission on 15 September 2022. This initiative is part of a broader commitment by the European Union to strengthen the resilience and security of its digital space . The regulation focuses on crucial aspects of cybersecurity for hardware and software products, aiming to raise and standardize security standards across the European single market.

Here are the key points of the Cyber ​​Resilience Act:

  1. Security Requirements: It imposes the need to integrate robust cybersecurity measures into all phases of the product life cycle, from design to launch.
  2. CE marking: Products that meet the safety requirements will obtain the CE marking, indicating their compliance with EU safety standards and their suitability for sale throughout the Union.
  3. Evaluation and Compliance: It introduces a differentiated risk assessment system. While most products can be self-assessed for cyber resilience, some high-risk products require third-party assessments.
  4. Security Updates: It establishes an obligation for manufacturers to provide security updates for a minimum period of five years, ensuring protections against evolving cyber threats.
  5. Support for Small and Micro Businesses: It includes support measures for small and micro businesses, such as training and compliance assistance.
  6. Producers' Responsibilities: It accentuates the responsibility of manufacturers to ensure the safety of their products, encouraging the production of safer devices.

After its initial proposal in September 2022, the political agreement on the Cyber ​​Resilience Act was reached on 30 November 2022 between negotiators of the European Parliament and the Council of the EU. This step represents a significant advance in the field of digital security, establishing rigorous standards for manufacturers and improving the protection of consumers and businesses against cyber threats. The implementation of this law marks a crucial moment for digital security in the European Union, aiming to create a more secure and resilient digital environment.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top