New European Union cybersecurity proposal takes aim at cybercrime

Lawmakers are seeking to strengthen cybersecurity requirements across the European Union, advancing new legislation to bolster security requirements for all digital hardware and software products. The proposed law, titled the Cyber Resilience Act, would cover everything from computers and mobile phones to smart kitchen appliances and digital children’s toys.

"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State or an unsafe product along the supply chain,” said Thierry Breton, the EU’s commissioner for the internal market.

The proposed legislation, which was unveiled by the European Commission earlier this month, mandates that products are designed, developed and produced in ways that mitigate cybersecurity risks. This includes, for example, requirements to sell products in a secure default configuration, to maintain a thorough product identification system and to ensure that exploitable vulnerabilities can be addressed through security updates, among other cybercrime disclosure rules.

In recent years, the number of personal devices that are connected to the internet has grown significantly.

Yet many of these so-called Internet of Things products are highly vulnerable to hacks and cybercrimes. In fact, ransomware attacks occur worldwide every 11 seconds and cost the global economy an estimated €20 billion last year, according to Cybersecurity Ventures. Meanwhile, DDoS attacks—malicious efforts to disrupt or cut off access to internet services or websites—cost just the EU economy roughly €65 billion in 2020.

In Belgium, for example, nearly 1,000 businesses were hit by cybercrimes in 2021—a 300% increase compared to the year prior, according to an analysis by Mastercard. The majority of cyber attacks entailed malware and ransomware strikes.

“We deserve to feel safe with the products we buy in the single market,” said Margrethe Vestager, executive vice president of the European Commission for A Europe Fit for the Digital Age. “The Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards.”

Reinforced cybersecurity protocols are also expected to help companies and manufacturers—especially smaller businesses that may not have the technical resources or financial means to survive a cyberattack.

Earlier this year, the World Economic Forum’s Global Cybersecurity Outlook reported that the average cost of a cyber breach for a company was $3.6 million. Moreover, targeted companies saw stock prices fall and spent on average 280 days identifying and responding to a cyberattack.

“Technology leaders, companies and their boards of directors would do well to pay attention to these developments and recognize that cyber strategy is a business strategy and understanding cyber risk is part of good governance in the digital age,” said Daniel Dobrygowski, the head of governance and trust at the Forum’s Centre for Cybersecurity.

The proposed Cyber Resilience Act was welcomed by industry groups such as the TIC Council, a global organisation covering the independent testing, inspection and certification sectors. “The proposal constitutes a good first step towards a more cyber-resilient single market,” said Martin Michelot, the TIC Council’s executive director for Europe.

The legislation was first put forth by European Commission President Ursula von der Leyen in November 2021. If the act is approved by the European Parliament and the European Council, EU countries will have two years to adapt the new rules.

“Digital trust is a necessity in a global economy reliant on ever-increasing connectivity, data use and new innovative technologies,” said Akshay Joshi, the head of industry and partnerships at the Forum’s Centre for Cybersecurity. “As common citizens increasingly become wary of the technologies they interact with, this regulation will further enhance transparency and allow end users to make informed choices.”

The EU’s Cyber Resilience Act joins several other pieces of legislation proposed around the world that aim to curb cybercrime, which cost the global economy €5.5 trillion in 2021, according to Cybersecurity Ventures. By 2025, cybercrime damages are expected to surpass €10 trillion.

Earlier this year, the United States enacted a new law bolstering cybercrime disclosure requirements for companies working in critical infrastructure sectors. The policy followed a major ransomware attack in May 2021 against Colonial Pipeline, which operates the country's largest pipeline system for jet fuel, gasoline and diesel. The attack, which was reportedly launched through an old corporate virtual private network, paralysed pipelines across the US East Coast and resulted in Colonial Pipeline paying roughly $5 million worth of Bitcoin to the hackers. The US Justice Department later recovered nearly half of the ransom payment.

Today, the US Securities and Exchange Commission and the US Congress are also pursuing new regulations to strengthen and standardise cybersecurity benchmarks and cybercrime disclosure requirements.

“Regulation has an important role to play in incentivizing cyber resilience,” Dobrygowski added.