The European Commission today unveiled a sweeping set of measures designed to fortify the cyber resilience of companies and public bodies across the EU. The package, part of the Union’s Digital Decade strategy, introduces new certification schemes for software and smart devices, expands the scope of existing data protection rules, and establishes a pan‑EU framework for rapid incident response.
Key Provisions
The core of the proposal is a mandatory security standard for all digital products placed on the market within the EU. Manufacturers will need to obtain an EU cyber‑security certification before their devices can be sold, ensuring that critical vulnerabilities are addressed early in the supply chain.
"The new framework will raise the bar for security across all sectors," said Commissioner Maroš Šefčovič. "We cannot afford to let technology outpace our protective measures."
The package also expands the scope of the General Data Protection Regulation (GDPR) by tightening data handling rules for AI‑driven services, and introduces a coordinated incident‑reporting system that will enable authorities to share threat intelligence in real time.
Industry Reaction
While many tech firms welcomed the move as a way to level the playing field, some expressed concerns about the cost of compliance. “We are committed to security, but we need clear guidance on how these new requirements will affect smaller developers,” said a spokesperson for a leading European software company.
Looking Ahead
The Commission plans to roll out the first phase of the certification scheme by 2028, with full enforcement expected by 2030. The initiative signals the EU’s intent to become the global benchmark for cyber resilience, setting a standard that other regions may soon follow.