EU Establishes Manufacturing Requirements for Digital Devices

The European Council and Parliament have reached a provisional agreement on a comprehensive cyber resilience law that is expected to bolster the cybersecurity resilience of interconnected devices within the region. While the legislation awaits formal approval, it is anticipated to mandate stringent cybersecurity requirements throughout the lifecycle of digital products such as connected home cameras, refrigerators, televisions, and digital toys. While the  legislation is expected to complement existing EU cybersecurity regulations, the proposal needs to be legally revised before implementation. 

“Today’s agreement is a milestone towards a safe and secure digital market in Europe. Connected devices need a basic level of cybersecurity when sold in the EU, ensuring that businesses and consumers are properly protected against cyber threats,” says José Luis Escrivá, Minister of Digital Transformation of Spain. The legislation will address regulatory gaps and enhance the coherence of existing cybersecurity laws, and ensure that products featuring digital components, such as IoT devices, adhere to stringent security measures throughout the entirety of the supply chain.

Mandated compliance is scheduled to take effect three years after the law's enactment, allowing manufacturers sufficient time to adjust to the novel requirements. It includes obligations for manufacturers to determine product lifespans and report software vulnerabilities to authorities, among others. Through this initiative, the EU’s regulation will enable consumers to factor in cybersecurity considerations when selecting, purchasing and using interconnected digital products. 

This cybersecurity legislation will serve to enhance users’ digital safety by incentivizing and ensuring “robust cybersecurity of digital devices in the EU from their conception and throughout their life cycle,” says Thierry Breton, Internal Market Commissioner, European Union. It applies to all products directly or indirectly linked to other devices or networks, and includes specific exemptions for products already subject to established cybersecurity standards in existing EU regulations, such as medical devices, aerospace products, and vehicles.

This cybersecurity legislation is set to complement existing EU regulations regarding digital security, fortifying the continent's digital infrastructure and fostering a secure digital environment for both businesses and consumers alike. The EU's proposal will proceed at a technical level to finalize the details of the new regulation and undergo legal-linguistic revision before its formal adoption. 

This EU cybersecurity legislation resembles the US’ cybersecurity certification and labeling program, the Cyber Trust Mark. The program is meant to mimic the effect of nutrition labels on food products, namely offering end consumers the security information of IoT devices so they can make informed decisions before purchasing potentially vulnerable devices. Similar to the EU's cybersecurity proposal, the Cyber Trust Mark is expected to encourage manufacturers to enhance the security measures of their products while raising cybersecurity awareness among digital consumers.