Cybersecurity requirements for ICT products
Over the past decades, information and communication technology products (hereinafter “ICT products”) have allowed the society to become smarter and more connected, offering new benefits to consumers while creating opportunities to businesses across the EU. Meanwhile, the pervasiveness of ICT products within the EU Single Market has brought forward unforeseen challenges not only to the users of such products but also to the society at large.
In recent years, the EU has undertaken several initiatives with the aim of improving the legislation around product cybersecurity. Nevertheless, the current EU legislative framework seems still to be incomplete in respect to ICT products cybersecurity. Furthermore, evidences suggest that the heterogeneity of ICT products does not allow to aggregate risk profiles per ICT product category and/or sector. Hence, it follows the need to define a set of essential cybersecurity requirements for all ICT products, applicable during the entire lifecycle.
Against this background, the EU Commission commissioned a study on the need for cybersecurity requirements for ICT products that was recently published. The study concludes that the horizontal legislation would represent the most cost-effective policy option, creating greater security in the European single market while enhancing the business competitiveness, with both the sector specific and mixed approach being the second best. However, the study also concludes that a more comprehensive and quantitative assessment of these policy options should be performed in a follow up study.