Tech companies launch coalition to bolster cybersecurity ahead of new EU legislation

As the EU nears the finalisation of new cybersecurity legislation requiring vendors and service providers to offer security updates throughout a product’s lifetime, prominent tech companies have taken the initiative to enhance cybersecurity measures.

 Flag, Architecture, Building, China Flag

The Network Resilience Coalition unveiled on 25 July, comprising 11 founding members, including industry giants Cisco, Intel, AT&T, Broadcom, and Fortinet, was established with the goal of this to bolster the security of software and hardware updates and mitigate cyber risks within tech networks.

The coalition’s objectives partially overlap with the provisions outlined in the Cyber Resilience Act, a draft law in the EU designed to introduce security requirements for connected devices. Under the proposed legislation, manufacturers would be mandated to ensure security patches and vulnerability handling throughout a product’s expected lifetime.

The coalition aims to unite technology providers, security experts, and network operators to tackle the existing lack of comprehensive software and hardware updates. By fostering open and collaborative discussions, the coalition intends to address global cybersecurity challenges more effectively.

Defining the expected lifetime of a product remains a topic of discussion among EU policymakers, but the general direction suggests that manufacturers should establish this information and communicate it transparently to consumers before purchase.

Coordinated by the Center for Cybersecurity Policy & Law, the Network Resilience Coalition is currently in the process of drafting a strategic paper that will lay the foundation for its initiatives. Regular coalition meetings are already underway, with plans for expansion in the future. Meanwhile, the European Council, Parliament, and Commission are expected to commence trilogue discussions in September regarding the Cyber Resilience Act.

End-of-life cybersecurity risks pose a significant concern as products reach the end of their lifecycle, leading to discontinued updates and support from vendors. Malicious actors can exploit vulnerabilities in such products, especially through shared credentials and default configurations. To mitigate these risks, some members of the European Parliament propose that if a manufacturer sets a product’s expected lifetime to be shorter than five years, users must have access to applicable security products to ensure ongoing safety. In certain cases, original manufacturers may be required to disclose the source code to security providers.