What kind of risks does the proposal aim to address?

Cyber-attacks can spread across borders in the internal market within minutes. The regulation therefore tackles two issues.

The first is the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities.

While manufacturers of products with digital elements sometimes face reputational damage when their products lack security, the cost of vulnerabilities is predominantly borne by professional users and consumers. This limits the incentives of manufacturers to invest in secure design and development and to provide security updates.

The second is that businesses and consumers often do not have sufficient and accurate information when it comes to choosing products that are secure. And they often lack knowledge of how to make sure that the products they buy are set up in a way that is secure.

The new rules tackle these two aspects by addressing the issue of updates and the issue of providing up to date information to customers.