EU pitches cyber law to fix patchy Internet of Things
Products carrying the CE marking would have to meet a minimum level of cybersecurity checks.
The European Commission on Thursday presented a new Cyber Resilience Act proposal aimed at imposing new cybersecurity requirements on internet-connected devices ranging from "smart" toys and fridges to security cameras.
Manufacturers of digitally connected products would have to meet new EU requirements, whether the products are produced in the EU or not. The act would ensure products carrying the CE marking meet a minimum level of cybersecurity checks. Sensitive products running afoul of the rulebook face fines of up to €15 million, or 2.5 percent of worldwide turnover, whichever is higher.
"We need to protect our IT area, our cyberspace and our internal market," EU Internal Market Commissioner Thierry Breton said, showing an internet-connected camera and warning such a device could pose risks of hacking and even state-backed espionage.
An annex attached to the legislation lays out how there would be two categories for products: one for critical products, which will cover about 10 percent of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to perform a self-assessment, indicating that a product meets cybersecurity standards. For those that can present a significant cybersecurity risk, a manufacturer will have to prove they meet the requirements to a national authority or through a third-party assessment.
For mobile phones, for instance, "the cybersecurity parts of a product like this escape regulation. And this is what we're coming to address," said Margaritis Schinas, Commission vice president responsible for security policy.
Under the new law, the Commission would also have the power to direct the EU Cybersecurity Agency ENISA to evaluate whether a product presents a “significant cybersecurity risk,” and recall a product if it does.
The new bill still needs to be reviewed by the European Parliament and the EU Council before it becomes law.
Manufacturers of digitally connected products would have to meet new EU requirements, whether the products are produced in the EU or not. The act would ensure products carrying the CE marking meet a minimum level of cybersecurity checks. Sensitive products running afoul of the rulebook face fines of up to €15 million, or 2.5 percent of worldwide turnover, whichever is higher.
"We need to protect our IT area, our cyberspace and our internal market," EU Internal Market Commissioner Thierry Breton said, showing an internet-connected camera and warning such a device could pose risks of hacking and even state-backed espionage.
An annex attached to the legislation lays out how there would be two categories for products: one for critical products, which will cover about 10 percent of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to perform a self-assessment, indicating that a product meets cybersecurity standards. For those that can present a significant cybersecurity risk, a manufacturer will have to prove they meet the requirements to a national authority or through a third-party assessment.
For mobile phones, for instance, "the cybersecurity parts of a product like this escape regulation. And this is what we're coming to address," said Margaritis Schinas, Commission vice president responsible for security policy.
Under the new law, the Commission would also have the power to direct the EU Cybersecurity Agency ENISA to evaluate whether a product presents a “significant cybersecurity risk,” and recall a product if it does.
The new bill still needs to be reviewed by the European Parliament and the EU Council before it becomes law.
