Welcome, dear Guest [Log on]

Hall 9, 26/06/2018 (13.30-15.30)

In September 2017, the European Commission and the European External Action Service published the Joint Communication on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (JOIN/2017/0450 final). In the Communication, the Commission announced its intention to launch a joint initiative with industry to define a "duty of care" principle for reducing product/software vulnerabilities and promoting "security by design".

A “duty of care” as regards cybersecurity in services and products would be associated to a liability regime where a vendor or service provider is legally responsible due to negligence or fault (as opposed to a strict liability regime that entails liability without fault). The establishment of a “duty” presupposes an agreement on a cybersecurity “standard of care” or, in other words, a set of principles/requirements that all vendors and service providers would need to adhere to including of course security by design but also patching, vulnerability disclosure policies etc. As regards enforcement and uptake, both regulatory and co-regulatory options may be envisaged.


ID: 21275