European Union legislators have proposed a new set of product rules applicable to smart devices designed to force makers of internet-connected hardware — such as “smart” washing machines or connected toys — to pay extra attention to device security.
The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products whose “digital elements” are sold across the bloc, with requirements applicable throughout their lifecycle – meaning gadget makers must provide ongoing security support and updates to address emerging vulnerabilities. to patch – the That is what the committee said today.
The draft regulation also targets smart device makers communicating “sufficient and accurate information” to consumers – to ensure buyers can understand security considerations at the time of purchase and set up devices securely after purchase.
Sanctions proposed by the Commission for non-compliance with “essential” cybersecurity requirements can amount to €15 million or 2.5% of global annual revenue, while other regulatory violations have a maximum penalty of €10 million or 2% of revenue .
The EU executive said the proposed regulation will apply to all products that are “connected directly or indirectly to another device or network” – with some exceptions for products for which cybersecurity requirements are already enshrined in existing EU rules, such as medical devices, aviation and automobiles.
Pan-EU smart device security rules
In a summary of the proposed measures, which are based on a legislative framework for EU product legislation updated in 2008, the Commission said they will establish:
(a) rules for the marketing of products with digital elements to ensure their cybersecurity;
(b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to those products;
(c) essential requirements for the vulnerabilities handling processes implemented by manufacturers to ensure the cybersecurity of products with digital elements throughout the lifecycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to actively report exploited vulnerabilities and incidents;
(d) market surveillance and enforcement rules.
“The new rules will rebalance the responsibility towards manufacturers to ensure compliance with the security requirements of products with digital elements made available on the EU market,” it wrote in a press release. “As a result, consumers and citizens, as well as businesses using digital products, will benefit by increasing the transparency of security features and fostering trust in products with digital elements, as well as ensuring better protection of their fundamental rights, such as privacy and data protection.”
A Commission Q&A on the initiative further states that manufacturers “would undergo a conformity assessment process to demonstrate compliance with specified requirements in relation to a product”. It notes that this can be done through self-assessment or through a third-party conformity assessment “depending on the criticality of the product in question”.
When compliance with the applicable requirements is demonstrated, device manufacturers can affix the EU CE marking, indicating that digital elements comply with product security regulations.
Non-compliance would be handled by market surveillance authorities appointed by Member States with responsibility for enforcement — with proposed powers to not only end the non-compliance, but also “eliminate” the risk by selling prohibit or otherwise limit its market availability. Competent authorities could also order that infringing products be withdrawn or recalled. Although providing incorrect, incomplete or misleading information to regulators and supervisory authorities can result in a fine of up to 5 million euros or 1% of turnover.
Margrethe Vestager, EVP of the Commission for Digital Strategy, added in a statement: “We deserve to feel safe with the products we buy in the single market. Just as we can buy toys or a fridge with a CE mark. Trust, the Cyber Resilience Act will ensure that the connected objects and software we purchase meet strong cybersecurity safeguards, putting the responsibility where it belongs, on those who bring the products to market.”
Smart devices have been a hotbed of security horror stories for years. While there have been previous legislative steps to close glaring security gaps, such as a 2018 California law prohibiting creators from setting easily guessed default passwords on devices.
The UK has also been working on a ‘security by design’ law for connected gadgets for a number of years – a draft was aired in 2019 (although this product security law, which bundles telecom infrastructure security features, is still making its way through the UK Parliament ).
While the EU is not the first in the field of smart device security, the EU hopes that its nascent approach will become an international reference point, with the Commission’s press release suggesting: “EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset to the EU cybersecurity industry in global markets.”
However, there is still quite a long way to go before the proposal can become EU law, as the European Parliament and Council will have to examine the draft – and possibly try to amend it.
The Commission has also proposed a two-year TBEN once the regulation is adopted to allow device manufacturers and EU Member States to adapt to the full scope of the new rules. So the regulation probably won’t bite much before 2025.
That said, there is a shorter TBEN for manufacturers’ reporting obligation for “actively exploited vulnerabilities and incidents” – which would apply one year from the entry into force of the regulation, as the Commission expects this part to be easier to implement. to be .