New Proposed Cyber Resilience Act For EU Residents
As 2021 saw the most data breaches that had ever happened in the history of the world, many of the world’s countries have been grappling with finding new ways to protect themselves against the adverse effects of being involved in such events. To this end, news that broke last week announced that the European Commission was considering passing a new cybersecurity law referred to as the EU Cyber Resilience Act (CRA). Likewise, if passed, the CRA would impose new cybersecurity requirements on businesses and organizations that serve citizens that reside within EU member states.
More specifically, “The CRA introduces common cybersecurity rules for manufacturers, developers, and distributors of products with digital elements, covering both hardware and software. The rules seek to ensure that: (i) connected products and software placed on the EU market are more secure; (ii) manufacturers remain responsible for cybersecurity throughout a product’s life cycle; and (iii) consumers are properly informed about the cybersecurity around the products that they buy and use.”
The duties of businesses under the CRA
In the event that the CRA is passed into law, it would mandate a number of new responsibilities and obligations on businesses that operate within the EU as it concerns cybersecurity and data protection. Most notably, businesses will only be permitted to sell products that contain digital elements under the condition that these products adhere to the “essential cybersecurity requirements”. For example, one of these requirements states that “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks.”
Alternatively, the CRA would also place additional requirements on so-called “critical products”, as all digital products that are sold around the EU would be classified into specific categories in accordance with their risk from a cybersecurity perspective. For instance, under the proposed law, class 1 products would include password and network management systems, among other things, while class 2 products would include the operating systems for mobile devices, desktops, and serves, such as Apple iOS and Google’s ChromeOS.
Data breach notifications
What’s more, the CRA would also place new obligations on businesses with respect to data breach notifications. For example, the law would require a business that has sustained a data breach to provide notification to the European Union Agency for Cybersecurity (ENISA) “within 24 hours of becoming aware of any actively exploited vulnerability contained in the product or any incident having an impact on the security of the product.” Furthermore, the users of such products must also be notified of any vulnerabilities without undue delay.
US-EU Privacy Shield agreement
Moreover, the new US-EU Privacy Shield agreement that President Biden recently unveiled last week will also stand to impact any potential cybersecurity legislation that is enacted by the EU in the upcoming months. Due to the sheer amount of business that many American companies conduct within EU member states, cross-border transfers of personal data have been an area of concern for government officials and citizens that reside in both the U.S. and the EU respectively for many years now. Nevertheless, due to the lack of data protection legislation that currently exists within the U.S., many EU member states have expressed their concerns regarding the ability of US-based companies to protect the personal information of the EU’s millions of citizens.
As a result, the CRA could serve as yet another form of protection for consumers that reside within EU member states, in conjunction with the provisions of the landmark General Data Protection Regulation (GDPR). To this point, if the manner in which the GDPR has been enforced in recent years is any indication, businesses that violate the provisions of the CRA could be subject to heft fines and monetary penalties. Consequently, the passing of the CRA has the potential to make the data protection and personal privacy landscape within the EU more rigorous than it already is currently.
While no single law or regulation will be enough to prevent consumers from having their personal privacy infringed upon, the steps that the EU has taken to give citizens around Europe the assurance that their personal data will be protected through numerous measures is an unrivaled approach around the world. This being said, the new proposed cybersecurity law will still provide citizens that reside within EU member states with an additional layer of protection as it concerns data privacy.