The European Union has enacted the Cyber Resilience Act (Regulation (EU) 2024/2847), establishing comprehensive cybersecurity requirements for products with digital elements, including those utilizing artificial intelligence (AI).
The Cyber Resilience Act applies to all products with digital components, whether hardware or software and requires adherence to uniform cybersecurity standards. For example, manufacturers are obligated to design and develop products that minimize vulnerabilities and ensure security throughout the product lifecycle. This includes implementing secure development practices and providing timely security updates.
The Act requires manufacturers to meet obligations of transparency and conformity, which include informing users about cybersecurity features and the duration of support. Additionally, the Act empowers authorities to monitor compliance and enforce measures against non-compliant products, establishes a single reporting platform for detected vulnerabilities in products with digital elements, and requires EU member states to issue penalties of up to €15 Million or 2.5% of annual global turnover, whichever is higher.
AI products, particularly those connected to networks or processing sensitive data, are integral to the digital ecosystem. The Cyber Resilience Act's provisions ensure that AI products are developed with robust cybersecurity measures, addressing vulnerabilities that could be exploited by malicious actors. Manufacturers of AI products must now integrate cybersecurity considerations into their development processes, conduct thorough risk assessments, and maintain transparency with users regarding security features and support durations. Due to their nature, AI products may fall into higher-risk categories, necessitating rigorous compliance evaluations.