European Union lawmakers have proposed a new set of product rules to apply to smart devices that’s intended to compel makers of Internet-connected hardware — such as ‘smart’ washing machines or connected toys — to pay fulsome attention to device security.
The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold in across the bloc, with requirements applying throughout their lifecycle — meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities — the Commission said today.
The draft regulation also has a focus on smart device makers communicating to consumers “sufficient and accurate information” — to ensure buyers able to grasp security considerations at the point of purchase and set up devices securely after purchase.
Penalties proposed by the Commission for non-compliance for “essential” cybersecurity requirements scale up to the higher of €15M or 2.5% of worldwide annual turnover, with other regulation obligation breaches having a maximum sanction of €10M or 2% of turnover.
The EU’s executive said the proposed regulation will apply to all products that are connected “either directly or indirectly to another device or network” — with some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aviation and cars.
Pan-EU rules for smart device security
In a summary of the proposed measures, which are based on an Legislative Framework for EU product legislation which was updated in 2008, the Commission said they will lay down:
(a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
(c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
(d) rules on market surveillance and enforcement.
“The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market,” it wrote in a press release. “As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.”
A Commission Q&A on the initiative further stipulates that manufacturers would undergo “a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled”. It notes that this might be done via self-assessment or by a third-party conformity assessment “depending on the criticality of the product in question”.
Where compliance with the applicable requirements has been demonstrated, device makers would be able to affix the EU’s CE mark — indicating conformity of digital elements with the product security regulation.
Non-compliance would be handled by market surveillance authorities appointed by Member States which would be responsible for enforcement — with proposed powers to not only order a stop to non-compliance but “eliminate the risk” by prohibiting a product from being sold or otherwise restricting its market availability. Competent authorities could also order infringing products to be withdrawn or recalled. While supplying incorrect, incomplete or misleading info to regulators and surveillance authorities would risk a fine of up to €5M or 1% of turnover.
Commenting in a statement, Margrethe Vestager, Commission EVP for digital strategy, added: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
Smart devices have been a hot bed of security horror stories for years. Although there have been earlier legislative moves to plug glaring security gaps — such as a 2018 California law banning makers from setting easily guessable default passwords in devices.
The UK has also been working on a ‘security by design’ law for connected gadgets for a number of years — airing a draft back in 2019 (though this product security bill, which bundles telecoms infrastructure security provisions, is still making its way through the British parliament).
Despite not being first to the punch on smart device security, the EU is hoping its nascent approach will become an international point of reference, with the Commission’s press release suggesting: “EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.”
However there is still a fairly long road for the proposal to travel before it can become EU law, as the European Parliament and Council will need to examine the draft — and may seek to amend it.
The Commission has also proposed a two year timeframe once the regulation is adopted for device makers and EU Member States to adapt to the full sweep of the new rules. So the regulation likely won’t be biting much before 2025.
That said, there is a shorter timeframe for the reporting obligation on manufacturers for “actively exploited vulnerabilities and incidents” — which would apply one year from the date of entry into force of the regulation, as the Commission expects that piece to be easier to implement.