On 15 September 2022 the European Commission presented a proposal known as the Cyber Resilience Act (COM(2022) 454). The proposed regulation provides obligatory requirements for products with digital elements. The latter are defined as software or hardware product and its remote data processing solutions, regardless of whether software or hardware components are put on the market separately.

The attention to security-by-design is immediately visible from the first key article imposing obligations on manufacturers. They ought to ensure that products were designed, developed and produced in accordance with the further requirements of the proposed regulation. Similar to the approach taken in the GDPR, the security requirements listed in the annex to the proposal should be complied with on the basis of a risk assessment and where applicable.

Such requirements include security-by-default configuration, design with a purpose to limit attack surfaces and design with a purpose to mitigate the effects of a potential incident. A crucial step to ensure harmonized practices and efficient trade within the EU’s internal market is the CE marking attached to compliance with the security requirements.  

The European Commission is sending a momentous signal by throwing its weight behind security-by-design and making this concrete by adding detailed security requirements for software and hardware in a legal framework. And they are not alone in making such plea for security-by-design. Both Europol and Interpol have recently highlighted the risks caused by the Metaverse – and by extension virtual reality and augmented reality – publishing reports on new criminal activities taking place on such platforms. Both reports mention the importance of the design of these platforms and how it is a key factor in making these technologies more secure.

‍