Cybersecurity of products and entities becomes mandatory in EU soon
Companies remain worryingly oblivious on the eve of tightening EU cybersecurity legislation. Especially for industrial equipment and consumer devices, redesign is becoming urgent. A dozen of cybersecurity directives or regulations are starting to apply over the next few years. Non-compliance with these will turn sales of existing products and digital services illegal. That’s why decision makers and product developers in both device and software sectors will now need to understand the new legislations and start preparing.
The first significant tightening of regulations concerning devices will be enforced via Radio Equipment Directive starting 1st of August 2024. It applies on devices with wireless radio communications, even wireless headsets. At that day, most of today’s wireless IoT devices become illegal to sell in EU, as they are no longer in conformance with the Directive. If a company wants to continue selling the today’s wireless IoT devices in the EU, it will have to renew the CE marking to comply with the new requirements.
The NIS2 Directive will enter into force at the end of 2024. It expands the list of entities that are essential and important for the society, to include sectors such as electrical equipment manufacturing, chemicals industry and ICT services. In principle, NIS2 will only apply to medium and large sized companies, which will be obliged to implement information security management systems. In practice, many small companies are also subject to the requirements, as the bigger companies must also require their subcontractors to have appropriate cyber security -related processes in place.
Even more far-reaching is the Cyber Resiliency Act, which will enter into force during 2025-26. It will apply to all products with a digital dimension, i.e. all devices, software and many electronic and software components. These will have to meet the new CE marking requirements for cybersecurity.
It is therefore important to note that these changes in EU regulation require attention and action from both software companies as well as industrial equipment manufacturers. For an agile software company, for example, CE marking could be an unfamiliar concept.
If a company remains oblivious, there are serious problems ahead. There is an acute shortage of people who understand the legislation and who can implement it in practice. There is a lot to learn.
Now is the time to find the right partners and work together on what needs to be done in the face of changing regulations. It is important to open a discussion about new requirements with subcontractors and other partners.
By taking timely action on the new cybersecurity legislation, a company can continue to sell its products and services without interruption. In addition, a compliant company can save itself from criminal liability and significant administrative fines in the event of a harmful cyber security incident involving its offerings and operations.