I like the EU Cyber Resilience Act! There, I said it! Yes, this will make companies nervous in the short term, but this regulation is a watershed moment that will fundamentally shift how digital products are secured and maintained! This will FORCE the industry to adapt in more transparent and accountable ways.
I don’t like regulations in the tech world but will support such extreme measures when companies are not doing what is best for their customers. In this case, the industry has chosen not to voluntarily support good security practices such as these in the past. They often keep customers in the dark when attackers are running rampant and exploiting weaknesses in their products until they have a fix ready. Customers, if informed in a timely way, may be able to mitigate risks in other ways while waiting for a patch. But not if the company purposely chooses to keep them in the dark. So now, customers may be able to hold manufacturers accountable if they choose not to be forthcoming.
There are several aspects to this act which is designed to inform and protect consumers of digital products:
1. Notification of exploitation (when vulnerabilities are being used by attackers to victimize targets)
2. Security patching support for the lifetime of the product
3. Differentiation between security and functionality updates where feasible
Those companies who are worried about reporting, when attackers are exploiting vulnerabilities in their products, are basically saying they don’t want their customers to be aware.
I find the arguments against this act are outdated. My favorite illogical argument is that “if we report when our products are exploited, then attackers will exploit them more” Um, the genie is already out of the bottle. How about doing the decent thing and informing your customers that they are at serious risk of being victimized!