The European Commission wants to ensure everyday connected appliances are less vulnerable to cyber attacks by mandating manufacturers to strengthen security throughout their whole lifecycles.
The Cyber Resilience Act presented on Thursday in Brussels aims to become a global standard bearer by introducing mandatory cybersecurity requirements for every product with digital elements — also known as the Internet of Things — and make consumers more informed about the cybersecurity aspect of what they’re buying.
“When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain,” Commissioner for the Internal Market Thierry Breton said in a statement.
“Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security,” he added.
According to Commission data, a ransomware attack takes place every 11 seconds with the financial impact estimated at about €20 billion worldwide last year. The global annual cost of cybercrime is meanwhile estimated at €5.5 trillion.
The Commission’s proposals will oblige manufacturers to take cybersecurity into account when designing and developing their products and to ensure that any vulnerabilities are handled effectively for the expected product lifetime or for a period of five years, whichever is shorter.
They will also have to actively report exploited vulnerabilities and incidents, provide security updates for at least five years and provide consumers with “clear and understandable instructions” for the use of products with digital elements.
The proposed legislation will need to be approved by Parliament and Council and come into force two years after the final green light.