This article is more than 1 year old

EU puts smart device manufacturers on the hook for cyber security

Requires five years of patching, 24 hour incident reporting, and proper security … for starters

The European Commission has revealed a Cyber Resilience Act that will require manufacturers of connected devices to secure them properly before shipping, disclose and fix flaws promptly, and guarantee fixes will flow for five years.

"Computers, phones, household appliances, virtual assistance devices, cars, toys … each and every one of these hundreds of million connected products is a potential entry point for a cyber attack," explained Thierry Breton, European commissioner for internal market. "And yet, today most of the hardware and software products are not subject to any cyber security obligations.”

The Commission's concerns go beyond the hacking of the product itself and to the impact one incident might have on the entire supply chain. The org cited potential fallouts as "severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening."

Yes, the Commission mentioned death by cybers.

The draft legislation, which has been in the works since September 2021, "introduces mandatory cyber security requirements for products with digital elements, throughout their whole lifecycle."

The Act provides infosec requirements that must be met before products can reach Europe's markets, some covering their design, development and production.

Once the products go on sale, the Act will oblige manufacturers to disclose incidents within 24 hours of becoming aware of them, and address vulnerabilities through security support and software updates. Manufacturers are required to resolve cyber security problems for a period of either five years, or the product's expected lifetime.

"The new rules will rebalance responsibility towards manufacturers,” said the Commission.

Once the law passes, manufacturers will have a grace period of two years to adapt to the new requirements. For vulnerability and incident reporting, the grace period is just one year.

The proposed regulation does provide some exceptions for products such as medical devices, airplanes, and cars, as they are already subject to other regulations.

Failure to comply could result in fines of up to $15 million (€15 million) or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year.

Lest anyone assume the legislation will only affect Europe, the Commission was not shy to express that it has potential to establish global standards, calling it "likely to become an international point of reference."

The Commission won't mind if that happens, having already led the world with the General Data Protection Regulation (GDPR) and action against tech giants over their business practices and use of data. ®

More about


Send us news

Other stories you might like