Web-connected devices may have to meet new EU cybersecurity rules
- Damages from software and hardware cybercrime amounted to roughly US$6 trillion last year alone
- Open-source devices would not have to meet the new rules unless they are marketed commercially

Providers of internet-connected technology – from Apple iPhone software to baby monitors – will have to meet new cybersecurity requirements in the European Union or face fines and possibly have the product taken off the market, according to a draft proposal seen by Bloomberg.
New rules from the European Commission called the Cyber Resilience Act, set to become public next week, are aimed at improving the security of devices in the face of surging online attacks across the globe. Damages from software and hardware cybercrime amounted to roughly US$6 trillion last year alone.
Appliances and other household devices are increasingly equipped with sensors and online connections, creating what’s known as the Internet of Things.
These products can have “a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”, according to the draft, and provide users with “insufficient” information on their level of protection.
“In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes,” the draft said. “This can lead to severe disruptions of economic and social activities or even become life threatening.”
Under the proposed EU rules, products will have to meet various cyber standards to receive an approval marking and be sold regionally. Open-source devices would not have to meet these rules unless they are marketed commercially.
EU countries – or the EU’s cyber agency, when asked by the commission – will be able to investigate any device sold in the region for noncompliance. Even if they meet the cyber rules, they may still be found to “present a significant cybersecurity risk”, to risk people’s health and safety, or to fail to comply with fundamental rights.