On 10 June 2021, the European Parliament (EP) adopted a resolution on the EU’s Cybersecurity Strategy for the Digital Decade in order to make connected products and associated services secure by design, resilient to cyber incidents, and able to be quickly patched if vulnerabilities are discovered. While MEPs welcomed the Commission’s plans for horizontal legislation on cybersecurity requirements for connected products and associated services, they also stressed the need for the Commission to harmonise national laws in order to avoid fragmentation of the Single Market. The EP called for promotion of the development of secure and reliable networks/information systems, infrastructure, and connectivity across the Union.

The Commission is now called on to assess the need for a proposal on a regulation introducing cyber-security requirements for applications, software, embedded software, and operating systems by 2023. In addition, MEPs emphasised that outdated applications, software, embedded software, and operating systems no longer receiving regular patches and security updates constitute a significant share of all connected devices and a cyber-security risk – this issue therefore needs to be included in the Commission’s proposal.

The MEPs acknowledged that the COVID-19 crisis has further exposed cyber-vulnerabilities in several critical sectors, e.g., healthcare, and the number of cyber-attacks on healthcare systems is on the rise. The resolution cautioned that the use of hybrid threats (including the use of disinformation campaigns and cyber-attacks on infrastructure) is increasing and that they risk affecting democratic processes, such as elections, legislative procedures, law enforcement, and the administration of justice. The lack of agreement on cyber-intelligence collaboration at the EU level and the lacking collective response to cyber- and hybrid attacks are also cause for concern.