Understanding the EU Cyber Resiliency Act
As information becomes pervasive throughout our lives and societies, so does the threat of cybercrime. To combat this, the EU has proposed a law to increase cyber resiliency that, if adopted, will be felt worldwide.
- By Troy Hiltbrand
- October 26, 2022
As businesses across multiple sectors go through a digital transformation, we see a proliferation of interconnected devices. With this increased digital connectivity, we also see an increase in cyber threats. The attack surface area grows more prominent with each passing year. This increased threat level goes beyond businesses and starts to add a level of risk to the economy. Governments are stepping in to ensure that the laws and regulations can keep up with the growing economic threat level.
This is evidenced by a proposed law in the European Union called the Cyber Resiliency Act. This regulation seeks to protect consumers and the market from cyber incidents and aligns with the government’s goals to deliver on the EU’s digital transformation within the next decade. At the opening of the Cybertech Europe 2022 conference in Rome, Alessandro Profumo, the chief executive officer of Leonardo S.p.a., a trusted technology partner to governments worldwide, estimated that the global cost of cybercrime topped $6 trillion last year, with one-fifth of the total attacks directed at Europe.
Daniel Dobrygowski, the head of governance and trust at the Forum’s Centre for Cybersecurity, stated that “technology leaders, companies, and their boards of directors would do well to pay attention to these developments and recognize that cyber strategy is a business strategy and understanding cyber risk is part of good governance in the digital age.”
The proposed Cyber Resiliency Act focuses on European vendors and consumers, but with the global integration of the economy it will be felt worldwide. For IT shops and analytics groups, it will put an added layer of emphasis on securing both the hardware and information across all devices in the enterprise with an emphasis on those components that are consumer-facing. The two main areas of emphasis are on the creation of secure products and the exposure of information to end consumers of the digital products they are using.
Creation of Secure Products
The first main objective of this act is to create conditions whereby any product with digital elements is developed in a secure way. This ensures that both hardware and software products are placed on the market with fewer vulnerabilities. This is achieved by ensuring that manufacturers are incorporating cyber security throughout the product’s life cycle.
There are two key components of this objective. First, the regulation sets forth a target of establishing a cyber security framework that manufacturers of digital products can adhere to in ensuring reduced vulnerabilities. Second, penalties are associated with the willful violation of the precepts of this framework. The penalties for non-compliance with the requirements can be up to €15 million or 2.5 percent of annual global revenue, whichever is higher.
The second main objective is to ensure that users can take these cyber security considerations into account when they are selecting and using products that have some type of digital element or connectivity. When dealing with products that store, utilize, and share information, the end consumer should know of the cyber security risks they are assuming.
Once informed of the cyber security attributes of these digital products, end users can make wise decisions about which products to use and how to most effectively use them to protect themselves and society.
One of the precepts of the proposed law is that manufacturers deliver their products with a secure default configuration. This would establish out-of-the-box security even in cases where the end user is not savvy enough to secure the product themself.
As this is still in the proposal phase, it is being reviewed and the European Parliament has called for feedback. They will be meeting again in December to review the next steps with this regulation. If the act is approved by the European Parliament and the European Council, EU countries will have two years to adopt the new rules.
As an IT leader tasked with enabling business strategy, it is important for you to stay abreast of the moving technology ecosystem especially as it relates to digital transformation efforts and the related cyber security risks. With this proposed legislation, anyone doing business in Europe or downstream from European vendors could be impacted.
In addition, nations around the world look to Europe and its digital laws to model their own rules and regulations. We are sure to see other nations with similar concerns enact complementary regulations as the target is to create a more secure and resilient economy.
Troy Hiltbrand is the chief information officer at Amare Global where he is responsible for its enterprise systems, data architecture, and IT operations. You can reach the author via email.