The EU is set to endorse a refined version of the Cyber Resilience Act, which introduces new cybersecurity regulations for connected devices. The Act mandates manufacturers to report any cybersecurity incidents or exploited vulnerabilities to the competent authority. The responsibility for this task has been moved from ENISA, the EU cybersecurity agency, to national Computer Security Incident Response Teams (CSIRTs). The Act also introduces the concept of ‘highly critical products’, for which the European Commission could mandate EU cybersecurity certification schemes. However, the latest version of the Act removes any explicit reference to these products.
Manufacturers are also required to indicate the expected product lifetime during which users can expect security updates. The Act also stipulates that the responsibility to comply with the cybersecurity law shifts to the economic operator that substantially modifies a connected device. However, this responsibility is waived for security patches that do not modify the intended purpose of a product. The Act also excludes components of connected devices manufactured exclusively as spare parts to replace identical components from its scope.
The enforcement of the Act will be guided by EU market surveillance authorities, who will issue guidance documents to streamline the regulation’s enforcement at the national level. The Act is expected to be adopted by the EU Council’s Committee of Permanent Representatives, with negotiations between EU co-legislators due to start in September.
Source: EURACTIV
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.