State of Play of the EU Cyber Resilience Act


On 15 September 2022, the European Commission presented its legislative proposal for the EU Cyber Resilience Act. With the proposal, the Commission seeks to, on the one hand, address the issue of inadequate levels of cybersecurity inherent in numerous products, including that of insufficient security updates to products and software. Simultaneously, the proposal aims to tackle the issue of consumers and businesses currently finding it highly challenging to identify and assess whether products are cybersecure, or to figure out how to set up products in a way that ensures that their cybersecurity is adequately protected. To ensure that these issues are remedied, the Commission wants to lay down harmonised rules on mandatory cybersecurity requirements when bringing on the market products with digital elements, such as products that are connected directly or indirectly to another device or network, including hardware, software and ancillary services. Moreover, these cybersecurity requirements of the Cyber Resilience Act will also include a framework for the planning, design, development and maintenance of such products with a digital component, with certain obligations to be met at every stage of the value chain. In line with this, the Act also seeks to lay down obligations for manufacturers, importers, and distributors of these products to provide duty of care across the entire life cycle of the product.

Representing online traders, platforms and, more generally speaking, users of products with digital elements, Ecommerce Europe welcomes the European Commission’s objective to introduce requirements guaranteeing an adequate and necessary level of cybersecurity for businesses and consumers alike. In a time, where cyber-attacks are becoming increasingly prevalent, also against businesses, it is of key importance to take the necessary precautions to preserve business secrecy as well as the privacy of customers and their personal information. Moreover, we firmly believe that the harmonised rules on cybersecurity requirements, to be implemented once the Cyber Resilience Act is adopted, will contribute to a level playing field for vendors of products with digital elements and thus strengthen the overall competitiveness of such products. With that being said, trees do not grow to the sky, and while enhanced cybersecurity will indeed bring about a number of benefits, the proposal is understood as two-fold for the digital commerce sector. In particular, Ecommerce Europe has reservations towards the potentially burdensome obligations that the Cyber Resilience Act will place on various actors along the value chain of the e-commerce sector, regardless of being importers or vendors. We especially fear that these obligations might be constraining to the competitiveness of small and medium-sized enterprises across Europe. As such, Ecommerce Europe will continue to follow developments on the file to assess the impact the proposed regulation will have on the sector.

Co-legislators shaping their positions

Currently, the Commission’s proposed text is under scrutiny in both the European Parliament and the Council of the European Union. The Parliament’s lead Rapporteur on the file, Nicola Danti (Renew, Italy) from the Committee on Industry, Research and Energy, recently shared his draft report on the file, which introduces significant changes to the original proposal of the Commission. For instance, the draft report does not require a fixed date for a product’s expected lifetime, but rather allows manufacturers to determine the lifetime of their products as long as it aligns with general consumer expectations. In relation to this, manufacturers must roll out automatic updates of safety features for their products throughout the product’s prescribed lifetime, as well as they will be required to inform consumers when the product is nearing the end of said lifetime. This proposed change to the text is of key importance to businesses, as it will make the duty of care obligations for products with digital components more reasonable and more feasible to comply with.

In the Council, the Swedish Presidency, who took over the file in January, recently presented its latest compromise text, incorporating both previous changes and introducing new elements. In line with the Parliament’s view on automatically rolled out security updates being part of a product’s default settings, the Council further clarifies that this requirement shall “not apply to products intended to be integrated into components of other products, nor to devices for which users would not ‘reasonably expect’ automatic updates, like an industrial setting where the update could interfere with the operations.”

If you have any questions or wish to know more about the topic, please feel free to contact us at