New cyber resilience rules will establish a uniform set of cybersecurity requirements for all digital products in the European Union. The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about their security properties.

MEPs propose more precise definitions, feasible timelines, and a fairer distribution of responsibilities. The draft rules put products into different lists based on their criticality and the level of cybersecurity risk they pose. MEPs suggest expanding this list with such product as identity management systems software, password managers, biometric readers, smart home assistants, smart watches and private security cameras. Products should also have security updates installed automatically and separately from functionality ones, MEPs add.

They also emphasise the importance of professional skills in the cybersecurity field, proposing education and training programmes, collaboration initiatives, and strategies for enhancing workforce mobility.

Next steps

MEPs on the Industry Committee backed the draft cyber resilience act with 61 votes to 1, with 10 abstentions. They also voted to open negotiations with Council with 65 votes to 2, and 5 abstentions – a decision which will have to be greenlighted by the full House in a forthcoming plenary session.

Background

New technologies come with new risks, and the impact of cyber-attacks through digital products has increased dramatically in recent years. Consumers have fallen victim to security flaws linked to digital products such as baby monitors, robot-vacuum cleaners, Wi-Fi routers and alarm systems. For businesses, the importance of ensuring that digital products in the supply chain are secure has become pivotal, considering three in five vendors have already lost money due to product security gaps.