(September 8): Suppliers of internet-connected technology — from Apple iPhone software to baby monitors — will have to meet new cybersecurity requirements in the European Union or face fines and possibly have the product pulled from the market, according to a draft proposal seen by Bloomberg.
New rules from the European Commission called the Cyber Resilience Act, which are due to be made public next week, aim to improve the security of devices in the face of a surge in online attacks around the world. Damage caused by software and hardware cybercrime amounted to approximately $6 trillion last year alone.
Appliances and other home appliances are increasingly equipped with sensors and online connections, creating what is known as the Internet of Things. These products may have “a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”, according to the project, and provide users with “insufficient” information about their level of security. protection.
“In a connected environment, a cybersecurity incident in a product can affect an entire organization or supply chain, often spreading across domestic market borders within minutes,” the project says. “This can lead to severe disruption of economic and social activities, and even be life-threatening.”
Under the proposed EU rules, products will need to meet various cyber standards to receive an approval mark and be sold regionally. Open-source devices would not have to meet these rules unless they were released.
EU countries – or the EU cyber agency, at the request of the commission – will be able to investigate any device sold in the region for non-compliance. Even if they comply with the cyber rules, they may still turn out to be “presenting a significant risk to cyber security”, endangering the health and safety of people or not respecting fundamental rights.
The European Union Agency for Cybersecurity, known as ENISA, will also set up a vulnerability database to help assess cross-border attacks.
If a device does not meet the new standards, national regulators can have a product recalled or removed from the market altogether in the EU. In exceptional circumstances, the commission may also do so.
Fines for violating an essential part of the proposed settlement could reach €15 million (US$15 million), or 2.5% of a company’s worldwide annual revenue, whichever is greater. higher. Less serious violations could result in fines of €10 million or 2% of annual worldwide sales.
If a company is found to provide “incorrect, incomplete or misleading” information, it can be fined €5 million, or up to 1% of its annual turnover.
“In an interconnected single market, we are only as strong as the weakest link,” Internal Market Commissioner Thierry Breton wrote in a 2021 article. “So we need to collectively improve our level of security.”
The commission predicts that the proposal will save €180 billion to €290 billion each year. However, companies and public authorities will have to spend around 29 billion euros to comply with and enforce the new cyber rules.
The FinancialTimes first shared a draft proposal.