The Cyber Resilience Act bolsters cybersecurity rules to ensure more secure hardware and software products
SEPTEMBER 2022
The Cybersecurity Resilience Act is now public.
Scope:
Products with digital elements (any software or hardware product) whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Manufacturer responsibilities:
- Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phase;
- All cybersecurity risks are documented;
- Manufacturers will have to report actively exploited vulnerabilities and incidents;
- Once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively;
- Clear and understandable instructions for the use of products with digital elements;
- Security updates to be made available for at least five years.
Next Steps:
- European Parliament and the Council to examine the proposed Cyber Resilience Act.
- Entry into force and 2 years transition period before mandatory
Reference: Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)