New Proposed Cyber Resilience Act For EU Residents

October 19, 2022 | 4 minutes read
New Proposed Cyber Resilience Act For EU Residents

As 2021 saw the most data breaches that had ever happened in the history of the world, many of the world’s countries have been grappling with finding new ways to protect themselves against the adverse effects of being involved in such events. To this end, news that broke last week announced that the European Commission was considering passing a new cybersecurity law referred to as the EU Cyber Resilience Act (CRA). Likewise, if passed, the CRA would impose new cybersecurity requirements on businesses and organizations that serve citizens that reside within EU member states.

More specifically, “The CRA introduces common cybersecurity rules for manufacturers, developers, and distributors of products with digital elements, covering both hardware and software.  The rules seek to ensure that: (i) connected products and software placed on the EU market are more secure; (ii) manufacturers remain responsible for cybersecurity throughout a product’s life cycle; and (iii) consumers are properly informed about the cybersecurity around the products that they buy and use.”

The duties of businesses under the CRA

In the event that the CRA is passed into law, it would mandate a number of new responsibilities and obligations on businesses that operate within the EU as it concerns cybersecurity and data protection. Most notably, businesses will only be permitted to sell products that contain digital elements under the condition that these products adhere to the “essential cybersecurity requirements”. For example, one of these requirements states that “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks.”

Alternatively, the CRA would also place additional requirements on so-called “critical products”, as all digital products that are sold around the EU would be classified into specific categories in accordance with their risk from a cybersecurity perspective. For instance, under the proposed law, class 1 products would include password and network management systems, among other things, while class 2 products would include the operating systems for mobile devices, desktops, and serves, such as Apple iOS and Google’s ChromeOS. 

Data breach notifications

What’s more, the CRA would also place new obligations on businesses with respect to data breach notifications. For example, the law would require a business that has sustained a data breach to provide notification to the European Union Agency for Cybersecurity (ENISA) “within 24 hours of becoming aware of any actively exploited vulnerability contained in the product or any incident having an impact on the security of the product.” Furthermore, the users of such products must also be notified of any vulnerabilities without undue delay. 

US-EU Privacy Shield agreement

Moreover, the new US-EU Privacy Shield agreement that President Biden recently unveiled last week will also stand to impact any potential cybersecurity legislation that is enacted by the EU in the upcoming months. Due to the sheer amount of business that many American companies conduct within EU member states, cross-border transfers of personal data have been an area of concern for government officials and citizens that reside in both the U.S. and the EU respectively for many years now. Nevertheless, due to the lack of data protection legislation that currently exists within the U.S., many EU member states have expressed their concerns regarding the ability of US-based companies to protect the personal information of the EU’s millions of citizens.

As a result, the CRA could serve as yet another form of protection for consumers that reside within EU member states, in conjunction with the provisions of the landmark General Data Protection Regulation (GDPR). To this point, if the manner in which the GDPR has been enforced in recent years is any indication, businesses that violate the provisions of the CRA could be subject to heft fines and monetary penalties. Consequently, the passing of the CRA has the potential to make the data protection and personal privacy landscape within the EU more rigorous than it already is currently. 

While no single law or regulation will be enough to prevent consumers from having their personal privacy infringed upon, the steps that the EU has taken to give citizens around Europe the assurance that their personal data will be protected through numerous measures is an unrivaled approach around the world. This being said, the new proposed cybersecurity law will still provide citizens that reside within EU member states with an additional layer of protection as it concerns data privacy. 

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »