New Law Demands Five Years Of Security Patches

John Lister's picture

Tougher rules mean digital device and software manufacturers will have to report security breaches more quickly. They'll also have to offer security patches for at least five years.

The rules come from the European Union. They technically only cover products sold in EU member countries, though in many such cases manufacturers change their behavior worldwide to comply with the rules. The financial penalties for breaking the rules take into account global turnover.

The rules, which will become the Cyber Resilience Act, cover "products with digital elements." These include smart and connected devices, plus software with a security element such as a password manager, virtual private network or antivirus tools. (Source:

Automatic Patches Required

The final version of the law will specify which products come under the rules. It will also designate some as being "important" or "critical", which will determine the precise requirements. The rules don't apply to any open-source software that is produced outside of any commercial activity.

Manufacturers and developers will need to build cyber security into the products from the beginning, including assessing the potential risks, and fully document security processes. They'll also have to issue security patches for five years and allow for automatic updates. This must be separate from any updates that fix performance issues or add new features.

They'll also need to tell national cyber security authorities about any breach within 24 hours of discovering it. For more severe breaches they'll need to tell users of the device or software.

The rules also mean anyone who imports products with digital elements from outside the EU will need to take adequate steps to make sure it is secure.

Hefty Penalties

The maximum penalty for a breach is €15 million or 2.5 percent of global revenue for the year, whichever is higher. (Source:

While the rules have been under discussion since September last year, members of the European Parliament have now completed negotiations with the relevant departments of national governments. It will require a final approval vote which looks almost certain to pass. Once the law comes into force, businesses will have three years to fully comply.

What's Your Opinion?

Are these rules sensible? Would you like to see them applied in other countries? Do you take security policies into account when buying gadgets or software?

Rate this article: 
Average: 4.6 (5 votes)


Chief's picture

The problem with government providing all the guardrails, is the average consumer will become totally ignorant of what security policies actually do, and since they won't care, will be "surprised" when they get compromised and the "too big to fail" companies will pay fines and move on, leaving the end user with the mess. And the lawmakers will pass more laws to make certain "this never happens again".

russoule's picture

No, the bigger problem is that the COST for all this rulemaking is passed on to the consumer and THAT is when the surprise will happen. Let's face it, any time the companies are forced by law to do or provide something, it is something that the consumer has not requested or it would already be provided. The various government decrees rarely, if ever, take into account the additional cost to the ultimate consumer, whether digital demands or vehicle demands or airplane demands or health demands. When was the last time a government allowed the consumer to choose to pay a lower price and do without those "demands"?