20 Jan 2022

Cybersecurity Requirements for ICT Products

Lorenzo Pupillo / Carolina Polito

Download Publication


In recent years, the EU has undertaken several initiatives with the aim of improving the legislation around product cybersecurity. Nevertheless, the current EU legislative framework seems still to be incomplete in respect to ICT products cybersecurity. Furthermore, evidences suggest that the heterogeneity of ICT products does not allow to aggregate risk profiles per ICT product category and/or sector. Hence, it follows the need to define a set of essential cybersecurity requirements for all ICT products, applicable during the entire lifecycle.

Against this background, the study concludes that the horizontal legislation would represent the most cost-effective policy option, creating greater security in the Single Market while enhancing the business competitiveness, with both the sector specific and mixed approach being the second best. However, a more comprehensive and quantitative assessment of these policy options should be performed in a follow up study.