Endpoint Security , Internet of Things Security , Standards, Regulations & Compliance

European Council Adopts Cyber Resilience Act

Act Imposes Mandatory Patching for IoT Devices
European Council Adopts Cyber Resilience Act
Image: Shutterstock

The European Council on Thursday adopted security-by-design regulation that makes patching and vulnerability updates mandatory for connected devices in the European Union.

See Also: OnDemand Webinar| Improving Maritime Cybersecurity & Operational Resiliency

The Cyber Resilience Act, first proposed by the European Commission in 2022, requires manufacturers to undertake "essential cybersecurity requirements" such as carrying out a risk assessment to determine cyber risks within their products, ensuring default data protection, and regularly providing information regarding flaws and patching them swiftly.

With the European Council's official adoption of the bill on Thursday, the proposal is all but formally law. The European Commission and Council presidents will sign the bill, officially starting a 36-month countdown clock for the legislation to come into effect.

"The new regulation aims to fill the gaps, ensuring that products with digital components are made secure throughout the supply chain and throughout their life cycle," the Council said on Thursday.

Vendors will also be required to disclose within 24 hours of detecting "any actively exploited vulnerability" to the European Union Agency for Cybersecurity, which would forward the notification to a designated national computer security incident response team.

Products that meet the regulatory conformity will be required to affix a "CE" marking. Non-compliance could result in businesses facing up to 15 million euros or 2.5% of their global turnover, whichever is higher.

The proposed regulation has been previously criticized by security experts and other industry stakeholders. In an open letter sent to the EU Internal Market Commissioner last year, 56 security experts raised concerns that provisions such as reporting flaws within 24 hours would make it easier for nation hackers to target publicly disclosed flaws (see: Cyber Mavens Slam Europe's Cyber Resilience Act).

Executives of top European tech companies said provisions such as mandatory third-party risk assessment would disrupt their supply chain, as well as harm market competition (see: EU Cyber Resilience Act May Cause Bottlenecks, Companies Say).

The EU regulators argue trading bloc-wide regulation will allow companies to avoid overlapping regulatory requirements within the EU, as well as streamline product placements across Europe.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.