The EU unboxes its plan for smart device security

European Union lawmakers have proposed a new set of product rules to apply to smart devices that’s intended to compel makers of Internet-connected hardware — such as ‘smart’ washing machines or connected toys — to pay fulsome attention to device security.

The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold in across the bloc, with requirements applying throughout their lifecycle — meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities — the Commission said today.

The draft regulation also has a focus on smart device makers communicating to consumers “sufficient and accurate information” — to ensure buyers able to grasp security considerations at the point of purchase and set up devices securely after purchase.

Penalties proposed by the Commission for non-compliance for “essential” cybersecurity requirements scale up to the higher of €15M or 2.5% of worldwide annual turnover, with other regulation obligation breaches having a maximum sanction of €10M or 2% of turnover.

The EU’s executive said the proposed regulation will apply to all products that are connected “either directly or indirectly to another device or network” — with some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aviation and cars.

Pan-EU rules for smart device security

In a summary of the proposed measures, which are based on an Legislative Framework for EU product legislation which was updated in 2008, the Commission said they will lay down:

(a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;

(b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;

(c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;

(d) rules on market surveillance and enforcement.

“The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market,” it wrote in a press release. “As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection.”

READ:   Tesla ordered to tell laid off workers about lawsuit

A Commission Q&A on the initiative further stipulates that manufacturers would undergo “a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled”. It notes that this might be done via self-assessment or by a third-party conformity assessment “depending on the criticality of the product in question”.

Where compliance with the applicable requirements has been demonstrated, device makers would be able to affix the EU’s CE mark — indicating conformity of digital elements with the product security regulation.

Non-compliance would be handled by market surveillance authorities appointed by Member States which would be responsible for enforcement — with proposed powers to not only order a stop to non-compliance but “eliminate the risk” by prohibiting a product from being sold or otherwise restricting its market availability. Competent authorities could also order infringing products to be withdrawn or recalled. While supplying incorrect, incomplete or misleading info to regulators and surveillance authorities would risk a fine of up to €5M or 1% of turnover.

Commenting in a statement, Margrethe Vestager, Commission EVP for digital strategy, added: “We deserve to feel safe with the products we buy in the single market. Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”

READ:   Daily Crunch: Snap lays off one-fifth of its workforce after missing revenue and growth targets

Smart devices have been a hot bed of security horror stories for years. Although there have been earlier legislative moves to plug glaring security gaps — such as a 2018 California law banning makers from setting easily guessable default passwords in devices.

The UK has also been working on a ‘security by design’ law for connected gadgets for a number of years — airing a draft back in 2019 (though this product security bill, which bundles telecoms infrastructure security provisions, is still making its way through the British parliament).

Despite not being first to the punch on smart device security, the EU is hoping its nascent approach will become an international point of reference, with the Commission’s press release suggesting: “EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.”

However there is still a fairly long road for the proposal to travel before it can become EU law, as the European Parliament and Council will need to examine the draft — and may seek to amend it.

The Commission has also proposed a two year timeframe once the regulation is adopted for device makers and EU Member States to adapt to the full sweep of the new rules. So the regulation likely won’t be biting much before 2025.

That said, there is a shorter timeframe for the reporting obligation on manufacturers for “actively exploited vulnerabilities and incidents” — which would apply one year from the date of entry into force of the regulation, as the Commission expects that piece to be easier to implement.


(Visited 1 times, 1 visits today)

Only authentic Gist, News and Gossips around Nigeria.

Related Posts


U.S. antitrust officials ask to be heard in Epic vs. Apple appeal

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content. The US Department of Justice has requested to participate in the appeals hearing regarding Epic’s case against Apple’s App Store policies. Apple and Epic Games are


Tesla ordered to tell laid off workers about lawsuit

A U.S. District Court has ordered that Tesla must tell employees about a lawsuit alleging the automaker violated state and federal law by requiring workers to sign separation agreements. Two former Tesla employees filed the suit in July, alleging that the company required them to sign releases in exchange for less severance than federal and


iPhone 14 reactions, best iOS 16 features, and how to benefit from Focus Filters

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content. Everything you need to know about the iPhone 14 Pro launch and that 48MP camera, plus what’s best in iOS 16 — and in the forthcoming


Autonomous electric truck company Einride rides into Germany

Autonomous and electric truck maker Einride is rolling into Germany, representing its first new market in Europe outside its native Sweden. Founded out of Stockholm in 2016, Einride has raised some $150 million in funding to commercialize a cab-less autonomous cargo truck, one that can be controlled remotely if required by human operators. It’s a


Original iPhone stars in Stephen King’s ‘Mr. Harrigan’s Phone’

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content. Netflix released a trailer for “Mr. Harrigan’s Phone” and it modifies the timeline of the original story so the main characters each have an original iPhone.


Tencent lays off nearly all of staff at its gaming site Fanbyte

The first rule of conducting layoffs is to not be a jerk about it. The second rule is to make sure the social media manager you just laid off doesn’t still have access to your accounts. Today, Tencent violated both of those rules as it laid off nearly all of the editorial staff at Fanbyte

Leave a Reply

Your email address will not be published.