The EU wants manufacturers of connected devices to secure them before selling them

The European Comission has made public the draft of the future EU Cyber ​​Resilience Lawwhich among other things will mandatory for manufacturers of connected devices monitor your safety and secure them before putting them up for sale. Also that they publicly report the security breaches they suffer and that they fix them, in addition to guaranteeing that they can be repaired for five years.

According to Thierry Breton, European Commissioner for the Internal Market«lComputers, mobile phones, household appliances, virtual assistance devices, cars or toys, among others, add up to hundreds of millions of connected products that represent a potential point of entry for a cyber attack. And yet, most hardware and software products are not subject to any cybersecurity obligations.«.

The European Commission’s concerns go beyond the hacking of products and the impact that an incident can have on the entire supply chain. Its members are more concerned about the potential blackouts and failures that they may suffer, since they can be a source of «a serious disruption of economic and social activities in the domestic market, weakening security or even becoming life-threatening«. With this, the Commission refers directly to the deaths that certain types of cyber attacks can cause, depending on where they are carried out.

The draft of the law, which has been working on for a year, «presents the mandatory cybersecurity requirements for products with digital elements throughout their entire life cycle«. That is why it details the safety and information requirements that manufacturers must meet before putting them up for sale in any of the European Union markets. Some cover its design, its development and its production.

In addition, once the products are put on sale, the law will oblige manufacturers to make security incidents public within a maximum of 24 hours after becoming aware of them. Also to correct vulnerabilities through security support and software updates. Likewise, they will have to solve the cybersecurity problems they have during a period of either five years, or the entire life that the product is expected to have.

According to the European Commission, “these new rules will rebalance responsibility towards manufacturers«. Once approved, manufacturers will have a two-year grace period to adapt to the new requirements. For information about incidents and vulnerabilities, the grace period is reduced to one year. Of course, the law has exceptions for certain types of connected devices, such as those intended for medical uses, airplanes and cars. This is because they are already subject to other regulations.

IF the manufacturers of the devices that the law will affect do not comply with the standards, may be fined up to 15 million euros, or 2.5% of total annual income of the previous fiscal year of the manufacturer that has failed to comply with the standard. The legislation will affect only the EU, but the Commission has already pointed out that the law has the potential to eventually set global standards, as it has noted that the regulation is likely to “become an international point of reference«.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *