European Union lawmakers have proposed a new set of product rules to apply to smart devices that are intended to compel makers of Internet-connected hardware — such as ‘smart’ washing machines or connected toys — to pay fulsome attention to device security.
The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle — meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities — the Commission stated.
Penalties proposed by the Commission for non-compliance with “essential” cybersecurity requirements scale up to the higher of €15M or 2.5% of worldwide annual turnover, with other regulation obligation breaches having a maximum sanction of €10M or 2% of turnover.
The EU’s executive said the proposed regulation will apply to all products that are connected “either directly or indirectly to another device or network” — with some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aviation, and cars.
Pan-EU rules for smart device security
In a summary of the proposed measures, which are based on a Legislative Framework for EU product legislation which was updated in 2008, the Commission said they will lay down:
(a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) essential requirements for the design, development, and production of products with digital elements, and obligations for economic operators about these products;
(c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators about these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents.
(d) rules on market surveillance and enforcement.
“The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market,” it wrote in a press release. “As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.”
Where compliance with the applicable requirements has been demonstrated, device makers would be able to affix the EU’s CE mark — indicating conformity of digital elements with the product security regulation.
Non-compliance would be handled by market surveillance authorities appointed by the Member States which would be responsible for enforcement — with proposed powers to not only order a stop to non-compliance but “eliminate the risk” by prohibiting a product from being sold or otherwise restricting its market availability. Competent authorities could also order infringing products to be withdrawn or recalled. While supplying incorrect, incomplete, or misleading info to regulators and surveillance authorities would risk a fine of up to €5M or 1% of turnover.
Commenting in a statement, Margrethe Vestager, Commission EVP for digital strategy, added: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
However, there is still a fairly long road for the proposal to travel before it can become EU law, as the European Parliament and Council will need to examine the draft — and may seek to amend it.
The Commission has also proposed a two-year time frame once the regulation is adopted for device makers and the EU Member States to adapt to the full sweep of the new rules. So the regulation likely won’t be biting much before 2025.
That said, there is a shorter timeframe for the reporting obligation on manufacturers for “actively exploited vulnerabilities and incidents” — which would apply one year from the date of entry into force of the regulation, as the Commission expects that piece to be easier to implement.