The European Commission has proposed new legislation that would aim to enhance the security of most network-connected devices. The Cyber Resilience Act would require manufacturers to handle vulnerabilities “effectively” for five years or the lifetime of the product, whichever is shorter. Vulnerabilities in the devices would need be reported to ENISA within 24 hours of detection. The legislation now goes before European Parliament and the Council.
Note
- We are all familiar with the mantra “We take the security of our customers’ data seriously” that many organisations trot out as a result of a breach. However, many won’t take security seriously until they are required to do so by regulations. We witnessed that with the introduction of the EU General Data Protection Regulation (GDPR) and to some extent with PCI DSS. The EU is introducing a raft of regulations around cybersecurity, such as the Cyber Resilience Act, which hopefully will make organisations take ownership of their responsibilities with regard to cybersecurity and not leave it a pure technical issue for the IT team to worry about.
- Note the scope – this covers most network connected devices while excluding medical devices for human use as well as “free and open-source software developed or supported outside the course of a commercial activity.” Electronic Health Record and “high-risk AI systems” are in scope. Manufacturers will have 24 months to come into compliance. The good news is that there will be clearly defined support expectations which will facilitate lifecycle planning, the bad news is that consumers may not factor replacement into items such as appliances, cars and toys, let alone their home computer. Consumers will easily be taught to seek the CE marking for secure devices, understanding that it includes expiration will be a far greater challenge.
