The Cyber Resilience Act: a law with unintended consequences?

The EU’s upcoming Cyber Resilience Act has big ambitions, with the goal to improve security for anything with “digital elements”.

The Act will apply to hardware and software. The idea is to make it easier to update devices, and to fix any vulnerabilities. This deals with the very real risks caused by devices that ship, possibly with vulnerable code, and that can’t be patched.

So why, then, has a group of cyber security professionals written an open letter to the European Commission asking them to change a key part of the proposed rules?

Experts are concerned that, by requiring organisations to disclose vulnerabilities within 24 hours, the Act could increase, rather than reduce, risks. It could put pressure on firms that run bug bounty programmes, and in a worst-case scenario, even prompt more researchers to take zero days to the dark web.

Our guest today is Christine Bejerasco, CISO at WithSecure and one of the signatories of the letter.

We asked her to set out the background to the Act, and how security researchers would like to see it changed.

Interview by Stephen Pritchard.

Image by 2541163 from Pixabay