The EU’s proposed Cyber Resilience Act, which would introduce cybersecurity standards and regulations for all products and connected devices, is not enough to actually mitigate the increasing risk of cyberattacks.
There is no question that the act, first introduced late last year by European Commission president Ursula Von der Leyen in her State of the Union address, is admirable and may go a long way toward raising awareness about cybersecurity and cybercrime. Heightened threats continue, especially from Russia and China, and are aimed at Europe and the United States—these attacks could ultimately affect civilians. With the proliferation of connected devices, attack surfaces and the potential consequences for both governments and civilians are also growing at record rates.
“If everything is connected, everything can be hacked,” Von der Leyen said. But, even if the regulation—along with another proposal known as NIS2 that would set out uniform cybersecurity standards for those providing critical services—is eventually approved later this year, it will not reduce the number of attacks or the increasing damage they cause. This is true of cybersecurity regulations in general, including the updated password compliance directives from the National Institute of Standards and Technology (NIST) in the U.S.; on their own, they are not sufficient and may even provide a false sense of security.