The proposed EU Cyber Resilience Act is aimed at improving the security of connected devices in Europe, but could have global benefits if manufacturers retool their product lines to come into compliance with it.
The language of the act covers a very broad range of devices, clearly meant to strengthen the security of the internet-connected “smart” market by setting baseline manufacturing standards and requiring that manufacturers issue updates to address developing vulnerabilities. These security features would also have to be documented for consumers in a way that is easy to understand. The proposed terms bear resemblance to elements of the General Data Protection Regulation (GDPR), as do the fines; a maximum of 2.5% of annual turnover for violations.
Security of connected devices in EU regulatory crosshairs
Spurred by the explosion of cyber crime during the pandemic period, particularly ransomware, the EU Cyber Resilience Act seeks to reduce both the frequency and severity of attacks by addressing one of the vulnerable points that threat actors are quick to target. Because connected devices often have no means of receiving security updates, hackers can easily automate attacks once vulnerabilities become known to the public.
The cyber resilience bill must be reviewed by the European Parliament and Council before it becomes law. If it does, the breadth of connected devices it addresses would virtually guarantee that many manufacturers would alter their global product lines to be in compliance with it. There is not yet a comparable national-level law that specifically addresses smart and connected devices in this way; the EU Cyber Resilience Act could be the first source of serious motivation for manufacturers.
Changes would not be overnight, however. If the bill becomes law, manufacturers would be given one year to begin actively reporting any known vulnerabilities that have been exploited, and two years to get hardware and software security elements into place.
EU Cyber Resilience Act proposes substantial penalties, added costs for manufacturers
A very wide range of connected devices will be covered by the EU Cyber Resilience Act’s terms, essentially anything that can connect to the internet or even just to other devices or home networks. There are some exemption categories, but these are for devices that are used in sensitive applications and already regulated by existing legislation.
Taking some cues from the GDPR’s terms, the maximum fine amount is the greater of €15M or 2.5% of global annual turnover for the most serious offenses. Product recalls can also be ordered. The exact terms have yet to be drafted, but can reasonably be expected to address common security failings in connected devices: no passwords, weak or default passwords, inability to issue security patches to devices, unencrypted communications that contain sensitive information, and so on.
However, it does look as if there will be “wiggle room” for connected devices that legitimately do not pose a security risk; early indications are that products that do not fall into a “critical” category will only be required to conduct a self-assessment or obtain a basic third-party certification.