The proposed legislation would apply to very connected devices including toys and household appliances such as smart fridges.
The European Commission wants to ensure everyday connected appliances are less vulnerable to cyber attacks by mandating manufacturers to strengthen security throughout their whole lifecycles.
The Cyber Resilience Act presented on Thursday in Brussels aims to become a global standard bearer by introducing mandatory cybersecurity requirements for every product with digital elements — also known as the Internet of Things — and make consumers more informed about the cybersecurity aspect of what they're buying.
"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain," Commissioner for the Internal Market Thierry Breton said in a statement.
"Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe's economy and our collective security," he added.
Security updates and clear instructions
According to Commission data, a ransomware attack takes place every 11 seconds. The financial impact of ransomware attacks is estimated at about €20 billion worldwide last year with the global annual cost of cybercrime seen at €5.5 trillion.
The Commission's proposals will oblige manufacturers to take cybersecurity into account when designing and developing their products and to ensure that any vulnerabilities are handled effectively for the expected product lifetime or for a period of five years, whichever is shorter.
They will also have to actively report exploited vulnerabilities and incidents, provide security updates for at least five years and provide consumers with "clear and understandable instructions" for the use of products with digital elements.
Manufacturers who do not comply with the legislation will either have their products temporarily or permanently removed from the Single Market and/or be slapped with a fine of between 2% and 5% of global turnover.
The proposed legislation will need to be approved by Parliament and Council and come into force two years after the final green light.
'Overdue but falling short'?
The proposal was welcomed as "really good news for consumers" by Ursula Pachl, deputy director general at The European Consumer Organisation (BEUC), an umbrella consumers' group.
She argued that weak cybersecurity on these connected products including smart door locks, baby monitors and toys as well as connected washing machines and fridges is not only a problem for the individual consumer but "can even be a big problem for our society, for our economy as such because if something can be hacked, it can easily lead to disruptions of important infrastructure so this is a very important proposal that the Commission has finally put on the table."
MEP Dr Patrick Breyer (German Pirate Party), who sits on the Committee on Civil Liberties, Justice and Home Affairs, reacted to the Commission's plans by saying "it is overdue to finally hold commercial manufacturers accountable" to the threat from "insecure technology."
But he also said that the proposal "falls short in some places and goes too far in others" and called for a revision.
"On the one hand, there is a lack of a clear obligation for commercial manufacturers to immediately fix known security gaps. Commercial manufacturers must be held liable for self-inflicted security loopholes in order to make IT security financially worthwhile! On the other hand, the voluntary development of free software is threatened because the same requirements are to be placed on commercial producers and on volunteers," he explained.