New European Union cybersecurity proposal takes aim at cybercrime

European Union flags wave in the wind as the EU unveils new cybersecurity legislation to curb cybercrime.

"This regulation is a landmark step in ensuring the proliferation of trustworthy technologies," the Forum's head of cybersecurity said. Image: Photo by ALEXANDRE LALLEMAND on Unsplash

Spencer Feingold
Digital Editor, World Economic Forum
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Centre for Cybersecurity

Listen to the article

  • The European Union is advancing legislation to strengthen security requirements for all digital hardware and software products.
  • The proposal aims to curb cybercrime, which cost the global economy an estimated €5.5 trillion in 2021.
  • Many personal devices that are connected to the internet are particularly vulnerable to hacks.

Lawmakers are seeking to strengthen cybersecurity requirements across the European Union, advancing new legislation to bolster security requirements for all digital hardware and software products. The proposed law, titled the Cyber Resilience Act, would cover everything from computers and mobile phones to smart kitchen appliances and digital children’s toys.

"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State or an unsafe product along the supply chain,” said Thierry Breton, the EU’s commissioner for the internal market.

The proposed legislation, which was unveiled by the European Commission earlier this month, mandates that products are designed, developed and produced in ways that mitigate cybersecurity risks. This includes, for example, requirements to sell products in a secure default configuration, to maintain a thorough product identification system and to ensure that exploitable vulnerabilities can be addressed through security updates, among other cybercrime disclosure rules.

In recent years, the number of personal devices that are connected to the internet has grown significantly.

Yet many of these so-called Internet of Things products are highly vulnerable to hacks and cybercrimes. In fact, ransomware attacks occur worldwide every 11 seconds and cost the global economy an estimated €20 billion last year, according to Cybersecurity Ventures. Meanwhile, DDoS attacks—malicious efforts to disrupt or cut off access to internet services or websites—cost just the EU economy roughly €65 billion in 2020.

In Belgium, for example, nearly 1,000 businesses were hit by cybercrimes in 2021—a 300% increase compared to the year prior, according to an analysis by Mastercard. The majority of cyber attacks entailed malware and ransomware strikes.

“We deserve to feel safe with the products we buy in the single market,” said Margrethe Vestager, executive vice president of the European Commission for A Europe Fit for the Digital Age. “The Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards.”

Vishant Patel, senior manager of investigations at the Microsoft Digital Crimes Unit, shows a heat map and talks about how malicious computer networks known as the Citadel Botnets attack computers in Western Europe at the Microsoft Cybercrime Center in Redmond, Washington November 11, 2013. Microsoft, the maker of the most popular computer operating system in the world is launching a new strategy against criminal hackers by bringing together security engineers, digital forensics experts and lawyers trained in fighting software pirates under one roof at its new Cybercrime Center.   Picture taken November 11, 2013. To match Feature MICROSOFT-CYBERCRIME/    REUTERS/Jason Redmond (UNITED STATES - Tags: BUSINESS SCIENCE TECHNOLOGY CRIME LAW)
An official at the Microsoft Digital Crimes Unit shows a heat map of malicious computer networks in Western Europe in 2013. Image: REUTERS/Jason Redmond

Reinforced cybersecurity protocols are also expected to help companies and manufacturers—especially smaller businesses that may not have the technical resources or financial means to survive a cyberattack.

Earlier this year, the World Economic Forum’s Global Cybersecurity Outlook reported that the average cost of a cyber breach for a company was $3.6 million. Moreover, targeted companies saw stock prices fall and spent on average 280 days identifying and responding to a cyberattack.

“Technology leaders, companies and their boards of directors would do well to pay attention to these developments and recognize that cyber strategy is a business strategy and understanding cyber risk is part of good governance in the digital age,” said Daniel Dobrygowski, the head of governance and trust at the Forum’s Centre for Cybersecurity.

The proposed Cyber Resilience Act was welcomed by industry groups such as the TIC Council, a global organisation covering the independent testing, inspection and certification sectors. “The proposal constitutes a good first step towards a more cyber-resilient single market,” said Martin Michelot, the TIC Council’s executive director for Europe.

The legislation was first put forth by European Commission President Ursula von der Leyen in November 2021. If the act is approved by the European Parliament and the European Council, EU countries will have two years to adapt the new rules.

“Digital trust is a necessity in a global economy reliant on ever-increasing connectivity, data use and new innovative technologies,” said Akshay Joshi, the head of industry and partnerships at the Forum’s Centre for Cybersecurity. “As common citizens increasingly become wary of the technologies they interact with, this regulation will further enhance transparency and allow end users to make informed choices.”

The EU’s Cyber Resilience Act joins several other pieces of legislation proposed around the world that aim to curb cybercrime, which cost the global economy €5.5 trillion in 2021, according to Cybersecurity Ventures. By 2025, cybercrime damages are expected to surpass €10 trillion.

Earlier this year, the United States enacted a new law bolstering cybercrime disclosure requirements for companies working in critical infrastructure sectors. The policy followed a major ransomware attack in May 2021 against Colonial Pipeline, which operates the country's largest pipeline system for jet fuel, gasoline and diesel. The attack, which was reportedly launched through an old corporate virtual private network, paralysed pipelines across the US East Coast and resulted in Colonial Pipeline paying roughly $5 million worth of Bitcoin to the hackers. The US Justice Department later recovered nearly half of the ransom payment.

Today, the US Securities and Exchange Commission and the US Congress are also pursuing new regulations to strengthen and standardise cybersecurity benchmarks and cybercrime disclosure requirements.

“Regulation has an important role to play in incentivizing cyber resilience,” Dobrygowski added.

Have you read?
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

FBI takes down army of ‘zombie’ computers. Here what to know

David Elliott

June 19, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum