European (EU) Cyber Resilience Act: Proposal for improved security for digital devices

Sicherheit (Pexels, allgemeine Nutzung)[German]Hardware and software products are increasingly subject to successful cyberattacks, resulting in an estimated annual cost of €5.5 trillion from cybercrime by 2021. The European Union therefore presented a draft Cyber Resilience Act on September 15, 2022. The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, aims to define cybersecurity rules to ensure more secure hardware and software products.


Hardware and software products are increasingly subject to successful cyberattacks. Often, vulnerabilities or lack of patches are the cause of successful cyberattacks. Digital products suffer from two major problems that impose additional costs on users and society:

  • A low level of cybersecurity, manifested in widespread vulnerabilities and the inadequate and inconsistent provision of security updates to address them; and
  • insufficient understanding and access to information by users, which prevents them from choosing products with adequate cybersecurity features or using them in a secure manner.

The current EU regulatory framework does not address the cybersecurity of "non-embedded software." On the other hand, cyber attacks increasingly target vulnerabilities in these products (IoT devices, smartphones, etc.) and impose significant societal and economic costs. The EU Cyber Resilience Act has established two main objectives to ensure the smooth functioning of the single market:

  • Creating the conditions for the development of secure products with digital elements by ensuring that hardware and software products come to market with fewer vulnerabilities and that manufacturers take security seriously throughout a product's lifecycle;
  • and creating conditions that allow users to consider cybersecurity when selecting and using products with digital elements.

However, software provided as part of a service is not covered by the proposed cyber resilience law, as it applies only to products with digital elements sold in the European single market and includes specific cybersecurity requirements and obligations for manufacturers of these products. Four specific objectives have been incorporated into the proposal:

  • Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout their lifecycle;
  • Ensure a coherent cybersecurity framework that facilitates compliance for hardware and software manufacturers;
  • Improve transparency of security features of products with digital elements; and
  • Enable businesses and consumers to safely use products with digital elements.

Under this proposal for a bill, manufacturers are to ensure updates for their products for 5 years. The drafts can be downloaded from this website, and there are questions and answers about the draft Cyber Resilience Act here.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *