Endpoint Security , Internet of Things Security , Standards, Regulations & Compliance
European Council Adopts Cyber Resilience Act
Act Imposes Mandatory Patching for IoT DevicesThe European Council on Thursday adopted security-by-design regulation that makes patching and vulnerability updates mandatory for connected devices in the European Union.
See Also: The IT Pro's Guide to OT/IoT Security
The Cyber Resilience Act, first proposed by the European Commission in 2022, requires manufacturers to undertake "essential cybersecurity requirements" such as carrying out a risk assessment to determine cyber risks within their products, ensuring default data protection, and regularly providing information regarding flaws and patching them swiftly.
With the European Council's official adoption of the bill on Thursday, the proposal is all but formally law. The European Commission and Council presidents will sign the bill, officially starting a 36-month countdown clock for the legislation to come into effect.
"The new regulation aims to fill the gaps, ensuring that products with digital components are made secure throughout the supply chain and throughout their life cycle," the Council said on Thursday.
Vendors will also be required to disclose within 24 hours of detecting "any actively exploited vulnerability" to the European Union Agency for Cybersecurity, which would forward the notification to a designated national computer security incident response team.
Products that meet the regulatory conformity will be required to affix a "CE" marking. Non-compliance could result in businesses facing up to 15 million euros or 2.5% of their global turnover, whichever is higher.
The proposed regulation has been previously criticized by security experts and other industry stakeholders. In an open letter sent to the EU Internal Market Commissioner last year, 56 security experts raised concerns that provisions such as reporting flaws within 24 hours would make it easier for nation hackers to target publicly disclosed flaws (see: Cyber Mavens Slam Europe's Cyber Resilience Act).
Executives of top European tech companies said provisions such as mandatory third-party risk assessment would disrupt their supply chain, as well as harm market competition (see: EU Cyber Resilience Act May Cause Bottlenecks, Companies Say).
The EU regulators argue trading bloc-wide regulation will allow companies to avoid overlapping regulatory requirements within the EU, as well as streamline product placements across Europe.