Scope

The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.

The Regulation will apply to all products that are connected, indirectly or directly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.

In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance.

Relevance

The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. This includes ensuring the security of products with digital components, such as ‘Internet of Things’ (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.

Key obligations

The main obligations from the Commission proposal are:

• Rules to rebalance responsibility for compliance towards manufacturers, imposing obligations such as providing cybersecurity risk assessments, issuing declarations of conformity and cooperation with authorities.
• Vulnerability handling processes for manufacturers to manage vulnerabilities and ensure cybersecurity in digital products, along with responsibilities for economic operators such as importers or distributors in relation to those processes.
• Steps to enhance transparency regarding the security of hardware and software products for both consumers and business users.
• Establishment of a market surveillance framework to enforce compliance with the Regulation.