The European Commission, the European Union’s executive branch, today proposed new legislation designed to improve the security of connected devices.
The legislation is known as the Cyber Resilience Act. It covers “wired and wireless products that are connected to the internet,” according to the Commission. The legislation includes exceptions for certain types of systems, such as medical devices, that are covered by existing laws.
The Cyber Resilience Act specifies that hardware makers should “factor cybersecurity in the design and development” of connected devices. Additionally, hardware makers would be required to provide cybersecurity updates and support for a “reasonable period of time” after releasing a new device.
The proposed legislation also includes a number of other rules. If implemented, the Cyber Resilience Act would require hardware makers to inform consumers about what cybersecurity support is available for connected devices. Moreover, the legislation would establish “rules on market surveillance and enforcement.”
The approach that hardware makers take to addressing potential cybersecurity issues in their products is another focus of the Cyber Resilience Act. Companies covered under the legislation will have to report cybersecurity incidents such as data breaches. Additionally, such companies would be required to disclose if their devices contain vulnerabilities that are being actively used by hackers to launch cyberattacks.
Hardware makers will have to demonstrate that they comply with the rules in the Cyber Resilience Act by undergoing a cybersecurity assessment. After passing the assessment, hardware makers will gain the ability to add the CE marking to their connected devices. The CE marking indicates that a product complies with regulatory requirements in the European Economic Area.
“We deserve to feel safe with the products we buy in the single market,” stated European Commission Executive Vice President Margrethe Vestager. “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards. It will put the responsibility where it belongs, with those that place the products on the market.”
Companies that don’t meet the cybersecurity requirements in the Cyber Resilience Act will reportedly face fines. Under the proposed legislation, regulators could issue fines of up to 15 million euros or 2.5% of a company’s worldwide annual revenue.
The Cyber Resilience Act is on track to go before the European Parliament and the European Council. If it’s approved, hardware makers will have two years to meet the cybersecurity requirements specified in the legislation.
Hardware makers in several industries, including the mobile market, will also have to comply with new device charging rules that EU lawmakers approved earlier this year. Companies to which the rules apply will have to ship their devices with USB-C support starting in 2024. Moreover, hardware makers are required to give consumers the option of buying devices with or without a charger.