EU lawmakers have proposed a new set of product rules to apply to smart devices aimed at forcing makers of internet-connected devices – such as “smart” washing machines or connected toys – to pay close attention to device security.
The proposed European Union The Law of Cyber Flexibility It will introduce mandatory cybersecurity requirements for products with “digital items” sold across the block, with the requirements applied throughout their lifecycle—meaning tool makers will need to provide ongoing security support and updates to patch emerging vulnerabilities. said today.
The draft regulation also focuses on smart device makers communicating “sufficient and accurate information” to consumers – to ensure that buyers can understand security considerations at the point of purchase and set up devices securely after purchase.
Sanctions proposed by the Commission for non-compliance with “essential” cybersecurity requirements amount to a maximum of €15 million or 2.5% of total annual sales worldwide, with other offenses to comply with a maximum of €10 million or 2% of turnover.
The EU executive said the proposed regulation would apply to all products connected “either directly or indirectly to another device or network” – with some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aviation and cars.
Pan-EU rules for the security of smart devices
In the summary of the proposed actions, which are based on a legislative framework For EU product legislation updated in 2008, the Commission said it would set:
(a) the rules for placing products with digital elements on the market to ensure their cyber security;
(b) the basic requirements for the design, development and production of products with digital elements, and obligations to economic operators in relation to such products;
(c) the basic requirements for vulnerability remediation processes established by manufacturers to ensure the cybersecurity of digital-enabled products during the entire life cycle, and the obligations of economic operators in relation to these processes. Manufacturers will also have to actively report exploited vulnerabilities and incidents;
(d) Market surveillance and enforcement rules.
“The new rules will rebalance the responsibility towards manufacturers, who must ensure compliance with security requirements for products with digital elements supplied on the EU market,” he wrote in press release. As a result, it will benefit consumers and citizens, as well as businesses that use digital products, by enhancing the transparency of security features and by enhancing trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as as privacy and data protection.”
A committee Question and Answer The initiative further states that manufacturers will undergo a “conformity assessment process to establish whether specific product requirements have been met”. He points out that this can be done by self-assessment or by a third-party conformity assessment “depending on the importance of the product in question”.
Upon demonstrating compliance with applicable requirements, device makers will be able to place the European Union’s CE marking – indicating that digital items comply with the product’s safety regulation.
Non-compliance is dealt with by the market watch authorities designated by the member states which will be responsible for enforcement – with proposed powers not only to stop non-compliance but to “eliminate risk” by prohibiting the sale of the product or otherwise restricting its availability in the market. Competent authorities can also order the recall or recall of the infringing products. While providing incorrect, incomplete or misleading information to regulators and monitoring authorities, would risk a fine of up to €5 million or 1% of the turnover.
Commenting on a statement, Margrethe Vestager, Executive Vice President of the Committee for Digital Strategy, added: “We deserve to feel safe with the products we purchase in the single market. Just as we can trust a CE-marked toy or refrigerator, the Cyber Resilience Act will ensure that the connected objects and software we purchase comply with strong cybersecurity safeguards. It will put the responsibility in place, with those who bring the products to market.”
Smart devices have been a hotbed of security horror stories for years. Although there have been previous legislative moves to plug glaring security holes – such as the file 2018 California Law Prevent software makers from setting hardware default passwords that are easy to guess.
The UK is also working onSecurity by design code For devices connected for a number of years – draft broadcast Back in 2019 (in spite of that Product Security Invoicecomprising elements of communications infrastructure security, is still making its way through the British Parliament).
Despite not being the first to tackle the security of smart devices, the EU hopes its emerging approach will become an international reference point, with the Commission press release noting that: “EU standards based on the Cyber Flexibility Act will facilitate their implementation and will also be an asset for the cybersecurity industry in The European Union in world markets.
However, there is still a fairly long way to travel for the proposal before it becomes EU law, as the European Parliament and Council will need to examine the draft – and may seek to amend it.
The Commission has also proposed a two-year time frame once the regulation is adopted for device makers and EU member states to adapt to a full survey of the new rules. So it is likely that the regulation will not be severe before 2025.
However, there is a shorter time frame for the obligation to report “actively exploited vulnerabilities and incidents” to manufacturers – which will apply one year after the date of the regulation’s entry into force, as the Commission expects this part to be easier to implement.