Economy - published on 09 July 2024
Source: European Commission Spokesperson's Service
The Commission welcomes the political agreement reached last night between the European Parliament and the Council on the cyber resilience law proposed by the Commission in September 2022.
The cyber resilience law is the first legislation of its kind in the world. It will improve the level of cyber security of digital products for the benefit of consumers and businesses across the EU by introducing proportionate mandatory cyber security requirements for all hardware and software products, from baby monitors, smart watches and computer games to firewalls and routers. Different security requirements will apply to products with different risk levels. Less than 10 % of products will be subject to third-party assessments.
With the new regulation, all products placed on the EU market will have to be cyber-secure. This is a key step in the fight against the growing threat posed by cybercriminals and malicious actors.
Once the cyber resilience law is adopted, manufacturers of hardware and software will have to implement cyber security measures during the entire product life cycle, from design to development, as well as after the product is placed on the market. Software and hardware products will have to bear the CE marking, indicating their conformity with the requirements of the regulation, in order to be sold in the EU.
The law will also introduce an obligation for manufacturers to provide security updates to consumers in a timely manner for several years after purchase. This period must reflect the period of intended use of the products.
Thanks to these measures, the new law will enable users to make more informed and safer choices, as manufacturers will have to become more transparent and accountable regarding the safety of their products.
The agreement reached still needs to be formally approved by the European Parliament and the Council. Once adopted, the law on cyber resilience will enter into force on the 20th day following its publication in the Official Journal.
Once it enters into force, manufacturers, importers and distributors of hardware and software products will have 36 months to comply with the new requirements, but with regard to the obligation to report incidents and vulnerabilities, the grace period is more limited, at 21 months.
Cyber security is one of the top priorities of the European Commission. We must act vigorously to secure our digital products, both software and hardware.
The Cybersecurity Act, based on the EU’s 2020 Cybersecurity Strategy and the EU’s 2020 Security Union Strategy, was announced in the 2021 State of the Union address, as part of the plan to build a digitally-ready Europe, and will complement existing legislation, in particular the NIS2 framework adopted in 2022.
Last year, the number of software supply chain attacks tripled and every day small businesses and critical operators such as hospitals fall victim to cybercrime. Every 11 seconds an organisation is hit by ransomware attacks, at an estimated cost of €20 billion per year. In 2021 alone, cybercriminals were able to hack devices and launch around 10 million distributed denial of service (DDoS) attacks worldwide, rendering websites and online services inaccessible to their users.
Cyber resilience law – Questions and Answers (updated)
Fact sheet: Cyber resilience law
Impact assessment: Cyber resilience law
Consumers need to feel safe using products available on the EU market. The cyber security law agreed today will ensure that the digital products we use at home and at work comply with strict cyber security standards. Those who put such products on the market must be responsible for their security.
Věra Jourová, Vice-President for Values and Transparency – 01/12/2023
The security of all products circulating in the EU has always been a priority and a success. The Cybersecurity Act allows us to fill a gap by completing the security rules so that this is taken into account from the design of all products that reach consumers and users in the EU. The new rules require all interconnected products sold in the EU to be cyber-secure and provide greater security in our businesses and homes.
Margaritis Schinas, Vice-President for Promoting European Lifestyle – 01/12/2023
I welcome the agreement reached by the Parliament and the Council on this important regulation presented by my services. The new law ensures that the aspect of cyber security is strongly integrated into digital devices within the EU, from their conception and throughout their life cycle. Cybersecurity by design is essential for the security of both consumers and society at large.
Thierry Breton, Commissioner for the Internal Market – 01/12/2023
Economic Report 2 giorni fa
ISTAT – Building permits indicators – Q4 2025
Economy 3 giorni fa
National Made in Italy Day – Statement by President Pozza
