Web-connected devices may have to meet new EU cybersecurity rules
- Damages from software and hardware cybercrime amounted to roughly US$6 trillion last year alone
- Open-source devices would not have to meet the new rules unless they are marketed commercially
Providers of internet-connected technology – from Apple iPhone software to baby monitors – will have to meet new cybersecurity requirements in the European Union or face fines and possibly have the product taken off the market, according to a draft proposal seen by Bloomberg.
New rules from the European Commission called the Cyber Resilience Act, set to become public next week, are aimed at improving the security of devices in the face of surging online attacks across the globe. Damages from software and hardware cybercrime amounted to roughly US$6 trillion last year alone.
Appliances and other household devices are increasingly equipped with sensors and online connections, creating what’s known as the Internet of Things.
These products can have “a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”, according to the draft, and provide users with “insufficient” information on their level of protection.
“In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes,” the draft said. “This can lead to severe disruptions of economic and social activities or even become life threatening.”
Under the proposed EU rules, products will have to meet various cyber standards to receive an approval marking and be sold regionally. Open-source devices would not have to meet these rules unless they are marketed commercially.
EU countries – or the EU’s cyber agency, when asked by the commission – will be able to investigate any device sold in the region for noncompliance. Even if they meet the cyber rules, they may still be found to “present a significant cybersecurity risk”, to risk people’s health and safety, or to fail to comply with fundamental rights.
The European Union Agency for Cybersecurity, known as ENISA, will also set up a vulnerability database to help assess cross-border attacks.
If a device does not meet the new standards, national regulators can have a product recalled or completely taken off the market in the EU. In exceptional circumstances, the commission can do so as well.
Fines for violating an essential part of the regulation proposal could reach 15 million euros (US$15 million), or 2.5 per cent of a company’s worldwide annual revenue, whichever is highest. Less serious violations could lead to fines of 10 million euros or 2 per cent of global yearly sales.
If a company is found providing “incorrect, incomplete or misleading” information, it could be fined 5 million euros, or up to 1 per cent of annual revenue.
“In an interconnected single market, we are only as strong as the weakest link,” Internal Market Commissioner Thierry Breton wrote in a 2021 post. “We must therefore improve our level of security collectively.”
The commission predicts that the proposal will save 180 billion euros to 290 billion euros each year. However, companies and public authorities will have to spend an estimated 29 billion euros to comply with and enforce the new cyber rules.
The Financial Times first reported a draft of the proposal.