EU pitches cyber law to fix patchy Internet of Things
Products carrying the CE marking would have to meet a minimum level of cybersecurity checks.
The European Commission on Thursday presented a new Cyber Resilience Act proposal aimed at imposing new cybersecurity requirements on internet-connected devices ranging from "smart" toys and fridges to security cameras.
Manufacturers of digitally connected products would have to meet new EU requirements, whether the products are produced in the EU or not. The act would ensure products carrying the CE marking meet a minimum level of cybersecurity checks. Sensitive products running afoul of the rulebook face fines of up to €15 million, or 2.5 percent of worldwide turnover, whichever is higher.
"We need to protect our IT area, our cyberspace and our internal market," EU Internal Market Commissioner Thierry Breton said, showing an internet-connected camera and warning such a device could pose risks of hacking and even state-backed espionage.
An annex attached to the legislation lays out how there would be two categories for products: one for critical products, which will cover about 10 percent of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to perform a self-assessment, indicating that a product meets cybersecurity standards. For those that can present a significant cybersecurity risk, a manufacturer will have to prove they meet the requirements to a national authority or through a third-party assessment.
For mobile phones, for instance, "the cybersecurity parts of a product like this escape regulation. And this is what we're coming to address," said Margaritis Schinas, Commission vice president responsible for security policy.
Under the new law, the Commission would also have the power to direct the EU Cybersecurity Agency ENISA to evaluate whether a product presents a “significant cybersecurity risk,” and recall a product if it does.
The new bill still needs to be reviewed by the European Parliament and the EU Council before it becomes law.
Manufacturers of digitally connected products would have to meet new EU requirements, whether the products are produced in the EU or not. The act would ensure products carrying the CE marking meet a minimum level of cybersecurity checks. Sensitive products running afoul of the rulebook face fines of up to €15 million, or 2.5 percent of worldwide turnover, whichever is higher.
"We need to protect our IT area, our cyberspace and our internal market," EU Internal Market Commissioner Thierry Breton said, showing an internet-connected camera and warning such a device could pose risks of hacking and even state-backed espionage.
An annex attached to the legislation lays out how there would be two categories for products: one for critical products, which will cover about 10 percent of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to perform a self-assessment, indicating that a product meets cybersecurity standards. For those that can present a significant cybersecurity risk, a manufacturer will have to prove they meet the requirements to a national authority or through a third-party assessment.
For mobile phones, for instance, "the cybersecurity parts of a product like this escape regulation. And this is what we're coming to address," said Margaritis Schinas, Commission vice president responsible for security policy.
Under the new law, the Commission would also have the power to direct the EU Cybersecurity Agency ENISA to evaluate whether a product presents a “significant cybersecurity risk,” and recall a product if it does.
The new bill still needs to be reviewed by the European Parliament and the EU Council before it becomes law.
AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
