The European Cyber Resilience Act explained – how it impacts your business

Shows the EU flags outside the summit

On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs and toys) placed on the market across the EU. As of July 2023, it was approved. It aims to ensure greater security around hardware and software products. But, how does this impact businesses across the UK? Read on to discover exactly what the EU Cyber Resilience Act means for your business.

European Cyber Resilience Act

What is the EU Cyber Resilience Act?

Ensuring digital products meet cybersecurity requirements, the European Cyber Resilience Act impacts “products with digital elements” that are placed and sold on the EU market. It also covers any non-embedded software or hardware components that are sold separately.

Essentially, the Act details the approach manufacturers must take when creating products with digital elements, including both hardware and software. Products affected by these changes range from digital refrigerators to baby monitors and are typically the objects everyday consumers may use. It’s designed to protect those who could be most vulnerable to a cybersecurity risk.

This legislation was proposed on the 15th of September 2022 by the European Commission and was approved in July 2023.

What does this Act cover?

The legislation will apply to those companies that manufacture or place products with digital elements on the EU market. In the case of UK companies, it can apply to both manufacturers and importers or resellers of such hardware and software, especially those with operations within the European Union. Different rules will apply to specific sectors such as defence, motor vehicle and medical sectors.

Beverley Flynn, Head of Data Protection and Cybersecurity at law firm Stevens & Bolton, commented, “Whilst this legislation stems from the EU it is indicative of the more regulatory approach to ensuring that Cyber security remains firmly on the agenda when manufacturing, designing and selling products. It will be interesting to see what the UK brings to the arena on this point.”  

Cyber resiliency describes an organisation’s ability to both protect and recover from cyberattacks and the EU’s Cyber Resilience Act looks to support businesses. The Act strives to equip businesses for the life of the product from inception design production and maintenance to reduce cyber risks.

The four key objectives set out by the European Commission are to:

  1. Enable manufacturers to improve the security of products with digital elements. These must follow from the design stage into development and throughout the product’s entire lifecycle.
  2. Guarantee a cybersecurity framework that’s coherent and can facilitate compliance for both hardware and software creators and producers.
  3. Provide enhanced transparency around security properties for products that feature digital elements.
  4. Ensure both businesses and consumers can securely use products with digital elements.

The EU Cyber Resilience Act aims to address potential weaknesses in the ongoing life cycle of a product. It should cover hardware or software updates as well as new releases to market. Manufacturers will need to consider cybersecurity requirements from the commencement of the product development phase through to when the customer receives the product or service.

Beverley Flynn, a legal expert on the issue, suggests “that the legislation is not prescriptive in its detail, but more resolution focused with requirements in respect of items not dissimilar to those anticipated by the General Data Protection regime for personal data. Including:

  • Cyber security risk assessments,
  • Due diligence
  • Conformity assessments of vulnerability handling requirements product,
  • Mandatory recall obligations
  • Incident reporting to the EU Agency for Cybersecurity (ENISA)
  • Appointment of authorised representatives

Why has this Act come into place?

Cybercrime is continuing to rise across the globe, and cyber resiliency is offering both governments and organisations a way to strengthen their defence against ever-evolving threats.

This Act is also reflective of the European Commission’s movement Shaping Europe’s Digital Future. The aim is to ensure that Europe ‘seizes the opportunity and gives its citizens, businesses and governments control over the digital transformation.’

The EU Cyber Resilience Act cements this vision by providing a foundation for safe use in the digital space, acting as building blocks to ensure that all digital opportunities for businesses and beyond can be utilised.

How does the EU Cyber Resilience Act impact UK businesses?

IT experts together in an office

Now that we know what the EU Cyber Resilience Act is, you may be asking the question: How does it impact UK businesses?

UK’s cybersecurity laws

As it stands, there are three prominent laws in the UK to be aware of when it comes to cybersecurity:

UK Computer Misuse Act 1990

First passed over 30 years ago, the Computer Misuse Act 1990, together with the Data Protection Act 1984, was one of the first laws in the UK that sought to make malicious attacks or offences against computers, such as malware and hacking, illegal.

UK General Data Protection Regulations and the Data Protection Act 2018

Whilst not strictly cybersecurity-focused, our current UK GDPR and Data Protection Act undoubtedly have a bearing on our cybercrime law here in the UK. Currently, it is the predominant data protection law present in the country. The DPA derives from the European Union law, the General Data Protection Regulation, acting as our overseas equivalent.

The Network & Information Systems (NIS) Regulations

These create a common level of security for network and information systems, aiming to address the threats posed to them from a range of areas, most notably cyber-attacks. Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.

NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guide provides details about the requirements NIS places on RDSPs. Although aimed at RDSPs, it may also be useful for OES.

UK Cybersecurity Laws – The verdict

Businesses trading overseas will need to be sure that all product requirements, data collection and protection in place are compliant with the country they are trading in.

Similarly, when dealing with supply chains in the EU, UK organisations will need to ensure that any products placed on the market are handled appropriately in line with both UK and EU law.

The future of UK cybersecurity law

The UK’s Cyber Misuse Act was put in place over three decades ago, with the Network & Information Systems (NIS) Regulations following in 2018. Both technology and cybercriminal behaviour have continued to adapt and advance, something cybersecurity laws are continually trying to keep up with.

Both the Shaping Europe’s Digital Future and Cyber Resilience Act are symbolic of a global movement towards cyber resiliency. As it stands, the UK’s Computer Misuse Act 1990 doesn’t account for these subtleties and the fast-changing world of cybersecurity continues to throw challenges its way.

Take ethical hacking, for example. Like penetration testing, ethical hacking is undertaken to understand weak points in a network where a cybercriminal might take the opportunity to attack. An ethical hacker and an unethical hacker would technically use the same techniques and processes, but there is a big difference in the intent of their act.

The Cyber Misuse Act doesn’t currently take this into account, but with the CyberUP campaign putting pressure on the government to update UK cybersecurity legislation to include statutory defence, we might see a change here.

Perhaps the UK’s cybersecurity law needs to be reassessed in light of this Cyber Resilience Act. In fact, if it proves successful across the EU, there’s a chance it could be considered for the UK market. It might also be more cost-effective for manufacturers to produce UK and EU-based products to these cybersecurity requirements.

Be cyber resilient with ramsac

If you want to stay ahead when it comes to cybersecurity, ramsac’s Cyber Resilience Certification will assess your organisation’s position against cybercrime, proving to your customers and stakeholders just how seriously you take their data protection. Contact us today to get started.

Related Posts

  • What is data theft and how do you prevent it?

    What is data theft and how do you prevent it?


    In any size organisation, data theft can be a huge issue. From disgruntled employees to large scale cyberattacks, data theft can severely impact your business. According to a report [...]

    Read article

  • The true cost of a cyber breach

    The true cost of a cyber breach


    Understanding the true cost of a cyber breach is crucial, as it involves not only the immediate financial losses but also potential long-term impacts such as data loss, business [...]

    Read article

  • Inherent risk vs residual risk: What’s the difference?

    Inherent risk vs residual risk: What’s the difference?


    Inherent risk and residual risk are key elements of any effective risk management process designed to strengthen cybersecurity defences and protect your company’s data. Read on. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?

    What is cybersecurity monitoring? How important is it in 2024?


    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation

    Examples of sensitive data in your organisation


    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • How to set up a secure password policy in Microsoft 365

    How to set up a secure password policy in Microsoft 365


    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?