Skip to content

Cybersecurity Compliance

European Parliament Approves Cyber Resilience Act

Why This Data Privacy Alert Is Important

With Internet of Things (IoT) devices increasingly prevalent in the world—and as a vector for cybercrime—the European Parliament has approved the Cyber Resilience Act, legislation that, if adopted by the European Council, will mandate new security standards for digitally connected products in the European Union.


Advances in technology open up new possibilities not only for businesses and consumers who use the products, but also for criminals. The impact of cyberattacks through digitally connected IoT devices, ranging from cars and televisions to other household appliances like refrigerators, stoves, thermostats, and more, has increased dramatically in recent years, with approximately 60% of vendors indicating that they had lost money due to product security issues. 

The Cyber Resilience Act hopes to require heightened cybersecurity measures for products with digital elements and their integrated remote data processing solutions. Products will be classified according to their potential for cybersecurity risk, with products posing a higher risk being stringently examined by an outside regulatory body and lower risk products being certified internally by their manufacturers. 

Products covered by the Act must include security components both at release and throughout the products’ lifecycle, allowing consumers to make informed choices that weigh potential cybersecurity impacts of the products they purchase and use. “The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent,” Nicola Danti, lead member of the European Parliament, said. 

What the Cyber Resilience Act Covers

“Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors,” the Act stipulated. “As a result, even hardware and software considered to be less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or to move laterally across systems.” 

Both hardware and software products will be governed by the Cyber Resilience Act. In addition to hardware products like cars, televisions, and other appliances, the new rules will cover products including identity management systems software, password managers, biometric readers, smart home assistants and private security cameras. 

Resilience isn't built from a single action—it is a multitude of steps taken long before something ever happens that creates the capacity to withstand adversity. If passed, the Cyber Resilience Act will require businesses to identify, evaluate, manage and mitigate security risk of connected devices. Examples of a Security by Design (SbD) compliance strategy may include risk assessments, threat modeling, developing secure production protocols, and training engineers and development teams. Resilience against criminal actors exploiting software and hardware takes a village and this law is a clear signal from the European Parliament that the private sector and businesses manufacturing connected devices are ground zero for mitigating cyber risk.

Justine Phillips, Partner, Baker & McKenzie LLP

Data Privacy Tip

Published by CISA in November 2021, the Cybersecurity Incident and Vulnerability Response Playbooks provide a framework to understand and implement response plans to minimize the risk of cyberattacks. Download the Exterro FTK® action plan, Implementing the CISA Cybersecurity Response Playbook, to learn how to respond effectively to cybersecurity incidents. 

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo