• The Commission has announced a new Act that will establish minimum security requirements for connected devices, covering the product development and lifecycle.

• DIGITAL SME WG Cyber and Data members contributed a response to the Consultation and held one on one interviews with policymakers to provide feedback on the likely impact on SMEs.

On 15 September, the European Commission published the Cyber Resilience Act, which aims to increase the security of European IoT software and hardware through setting minimum security requirements for connected devices, both during product development and throughout the product life cycle. The Act will make manufacturers responsible for ensuring that their products are digitally secure, while enabling consumers to have greater information regarding the security of their devices.

The Act will target the threats and vulnerabilities found in IoT ecosystems and is intended to prevent a repeat of the Mirai cyber-attack; given the proliferation of connected devices, the Commission views it as a matter of urgency to ensure a higher level of cybersecurity in such devices. They believe that currently, nearly half of the devices on the market already contain cybersecurity measures that are close to those required by the Act and the focus therefore will be on securing the other half. It is estimated that preventing cyber-attacks and cyber-crime could save companies between 180-290 billion EUR annually.

The legislation will create two product categories – critical and non-critical. Critical products, such as VPNs, routers, firewalls and operating systems will be regulated via a third-party assessment, while non-critical products – 90% of the market – will only require a self-declaration of conformity.

DIGITAL SME’s Working Group Cyber and Data and Working Group Digitalisation previously had the opportunity to contribute to the drafting of the proposed legislation, via meetings with the DG CONNECT unit responsible for the proposal, submitting a response to the consultation and being invited to one-on-one interviews with representatives of the European Commission to provide analysis on the impact of the suggested measures contained within the proposal.

The suggestions contained within the consultation response have mostly been adopted.  One point that was important for DIGITAL SME related to deploying a risk-based approach to ensure that low-risk product are only subject to minimal requirements and compliance checks, which the two product categories allows for. Similarly, limiting the time that a manufacturer has to provide security updates for the product to a maximum of 5 years (or the product lifecycle, if less than 5 years) answers another of the concerns raised via the DIGITAL SME position.

The Chairman of DIGITAL SME’s Working Group on Cybersecurity Fabio Guasconi commented “DIGITAL SME recognises the need for increased cybersecurity and welcomes efforts to secure European products so that customers can be confident in the security of their purchase. Given the horizontal nature of the Act, DIGITAL SME would like to suggest that in order not to place too high a burden on SMEs, sufficient support should be offered by members states and national authorities to help ensure their ability to understand and comply with the requirements of the Act.”

“Ensuring that this support is harmonised across members states can help avoid fragmentation of the market and avoid giving advantage to companies based in different member states. Offering this support will ensure that European SMEs are able to offer customers and businesses a high level of security, while not impacting their ability to innovate and enter new markets.”

WG CYBER & DATA informs the DIGITAL SME position towards the European Union on Cyber Security, Data Protection and AI ethics. Further, the group also works towards developing standards and practical guidelines tailored to SMEs for easier access to selected relevant standards.