The European Cyber Resilience Act is coming | Fieldfisher
Skip to main content

The European Cyber Resilience Act is coming

Oliver Süme



"We cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked" - Ursula von der Leyen, President of the European Commission in her 2021 State of the Union Address.

With these words of warning, Ursula von der Leyen addressed the European Commission in 2021 to gather support for the upcoming Cyber Resilience Act, expected to be adopted in the third quarter of 2022. This aims to establish a uniform security standard for digital products and services on the European market. In this way, the regulation complements the existing NIS Directive and the existing Cyber Security Act and aims to further develop the standards for cyber security in the EU. This is to be achieved through uniform requirements for the security systems of products and services. The details of the design are still open.

The public and stakeholders were informed last week, on 17.03.2022, by the European Commission about the plans regarding the regulation and invited to comment and contribute with impact assessments.

The need for this regulation is justified not only with reference to the fragmentation of cyber security requirements in the European market, but also with the current security forecast of the European Cyber Security Agency: The agency predicted that attacks against European supply chains will quadruple in the coming years. Attacks against cloud infrastructures are even expected to increase fivefold. The transport sector, as well as public institutions and industry, will be particularly affected. Due to the increasing interconnectivity of all areas of life, the risk potential is also increasing exponentially. In detail, this means that entire systems are particularly vulnerable to attack due to their interconnectedness, because hackers can gain access via the weakest link: The advantages of networking are thus reversed in terms of cyber security.

The concrete design has not yet been decided. Thus, it remains to be seen whether voluntary measures, such as voluntary certification systems, "ad hoc" regulatory measures or a combined approach will be introduced. Above all, however, the scope of the regulation is currently not yet clear - both in quantitative and qualitative terms. It remains to be decided which obligations will be imposed on the economic actors and what exactly the "harmonised standards" should look like. A particular difficulty here lies in the variety of applications and services that are available. Checking these and, above all, establishing comparability in the safety requirements presents the Union with a not inconsiderable challenge. It is not unlikely at this point that the regulation is ultimately formulated in a rather soft and spongy way in order to cover the variety of use cases.

This uncertainty is illustrated by the different ideas on how more security is to be achieved. While von der Leyen speaks primarily of security standards for products and services, Thierry Bretton wants to go beyond that. He also demands that defence aspects be taken into account, i.e. that more offensive means be used in addition to pure security measures. Here, too, it remains unclear how this is to be done. This task will at least probably not fall to the private sector, but will be implemented by the defence ministries of the member states. Especially with regard to the war in Ukraine, the question takes on a new relevance. Cyber attacks are an integral part of the Russian offensive and illustrate the central role of the cyber dimension in today's conflicts. In doing so, the EU would not only be acting altruistically. For the cyberattacks in Ukraine also show that these can potentially be transferred to European networks.

Ultimately, it remains to be seen how far-reaching the security standards should be in detail. What is certain is that shifting cyber security to the private sector can bring a potential burden. Nevertheless, the European Commission sees potential for a positive impact on the economy by (i) increasing public trust in the digital economy, (ii) limiting revenue losses due to cyber attacks, (iii) uniform security standards in the internal market leading to a level playing field for all providers and (iv) the high cyber security requirements leading to increased competitiveness with third countries. Also, in view of the war in Ukraine, comprehensive protection of Europe against cyber attacks is essential.


Sign up to our email digest

Click to subscribe or manage your email preferences.