"Cyber Resilience ACT" project, becoming responsible
??? The Cyber Resilience Act project
More and more connected objects or software are the subject of successful cyberattacks! And in 2021 the annual cost of cybercrime was estimated at 5.5 billion euros. Despite the cybersecurity law, there seem to be gaps and the fragmentation of the market, where each country has its own rules and products are poorly controlled, does not help.
Noting this issue, the European Commission submitted on 15 September 2022 a new draft law, known as the "Cyber Resilience Act". The latter aims to strengthen cybersecurity for all "products with digital elements" as well as cybersecurity rules to ensure greater security of hardware and software products.
?
?? The issues raised by this bill
This bill responds to two observations. The overall level of security of technologies is the first structural problem to be identified, as about a quarter of information and communication technology (ICT) products on the market have a low or very low level of security. Some manufacturers tend to save on security costs to speed up the time to market of their products. Although updates are sometimes made to fix security issues, these are usually made after a vulnerability has already been discovered.
And then, the second structural problem that has been identified is the lack of awareness on the responsible use of ICT products. In Europe, seven out of ten users admit that they have not been sufficiently informed about the risks of cyberattacks and their consequences. In addition, when purchasing products, end users do not consider security as a major criterion, as they tend to assume that security is intrinsic to the design of the product (Example of webcam or other connected object security).
?
The Cyber Resilience Act aims to establish security standards for connected products. It implies a series of obligations for all products concerned, including the consideration of safety by design, as well as the absence of security gaps during delivery. Manufacturers will also need to provide detailed documentation on product safety, associated risks, technical support, and security updates for at least 5 years. The main goal is to improve product security and provide a cybersecurity environment with consistent rules for all connected devices and software. It also aims to provide a clear view of product safety and offer better quality products and software in terms of security for consumers and businesses.
?
领英推荐
?? In practice
The European Commission wants to strengthen the security of connected products that have invaded our homes for many years to make our daily lives easier. Currently, most of these connected objects and software are not subject to any security obligations, except products for aeronautics, the medical world and cars, which are already protected by other regulations. Online services, online services software, and messaging are also excluded from this rule, unless they are tied to a device. This suggests that most connected devices are affected by this new rule.
?
The products are divided into two categories, the first of which includes the most critical products such as password managers, VPNs, and antivirus. The second category includes operating systems for smartphones, computers and servers, routers and connected objects. Critical products will need to demonstrate compliance, and manufacturers will have 24 hours to report any vulnerabilities exploited by cybercriminals to the European Union Agency for Cybersecurity.
?
Member States will have to check the conformity of these products and in case of non-compliance, a fine of up to 15 million euros or 2.5% of the company's worldwide turnover will be applied.
?
?? Our verdict
It is crucial that manufacturers of connected objects take responsibility for the cybersecurity of their products. With the increasing proliferation of IoT devices in office (IT) and industrial (OT) environments, manufacturers must act to reduce the risk of cyberattacks. However, this task is immense and manufacturers will need support to achieve it. They will not only have to design their products following security by design from the outset, but also prove their compliance by having them evaluated. It is clear that the law on cyber resilience still has a long way to go before it is fully assimilated during development as well as by the user when choosing tools. ?Manufacturers must therefore anticipate this approach to minimize the impact of these regulations?