Are you worried about the cybersecurity of the digital products and services you use? You’re not alone. The European Commission is proposing new legislation to help make sure that the products and services we use are more secure. Furthermore, the Commission is also proposing new rules to help ensure that vendors take responsibility for the cybersecurity of their products and services throughout the entire product life cycle. Here’s everything you need to know about the proposed changes to the EU’s cyber resilience framework.
What’s wrong with the current system?
The current EU framework for digital product security is adequate for some aspects, but it fails to cover others. For instance, the current legislation does not prescribe specific cybersecurity requirements for the whole life cycle of a product. This is a problem because software needs to be updated on a regular basis in order to keep up with changing threats.
In addition, the existing framework does not cover all types of digital products. In particular, it fails to address a variety of widely used hardware (such as hardware that doesn’t fall under the Radio Equipment Directive or the Medical Devices Regulation). Moreover, non-embedded software products are also not addressed by the current framework, even though vulnerabilities in software products are increasingly serving as a channel for cybersecurity attacks, causing significant societal and economic costs.
What is the Commission proposing?
The European Commission is proposing a new European Cyber Resilience Act to address these shortcomings. The proposed legislation would set out common standards for digital product security and vendor responsibility throughout the entire product life cycle. This would include requirements for vendors to provide timely security updates and patches, as well as to ensure the cybersecurity of their products and services during end-of-life.
What are the benefits of the proposed changes?
If enacted, the proposed changes would help to ensure that the digital products and services we use are more secure. In addition, the new legislation would also help to hold vendors accountable for the cybersecurity of their products and services. This, in turn, would incentivize vendors to take security more seriously and invest more in cybersecurity research and development.
What’s next?
The proposed legislation still needs to be approved by the European Parliament and the Council of the EU before it can become law. However, if approved, the new rules could come into force as early as 2022.
In the meantime, you can take steps to protect yourself from cybersecurity threats by keeping your software up to date and using a reputable security suite. You can also stay informed about the latest threats by following security blogs and subscribing to security newsletters.
What are the Legal Grounds for this Proposal?
The European Commission is proposing the Cyber Resilience Act on the basis of Article 114 of the Treaty on the Functioning of the European Union. This allows the EU to adopt measures in the field of information and communication technologies (ICT) with a view to ensuring a high level of security of networks and information systems.
The Commission is also proposing the Cyber Resilience Act on the basis of Article 8 of the Treaty on European Union. This allows the EU to adopt measures in the field of ICT with a view to ensuring a high level of security of networks and information systems within the Union.
At LEGID, we have a team of expert cybersecurity lawyers who can advise you on the proposed changes to the EU’s cyber resilience framework. Contact us today to learn more: hi@legid.app