The European Commission hopes to guarantee that commonly connected appliances are less susceptible to cyberattacks by requiring manufacturers to bolster security during their entire lifecycles. The Cyber Resilience Act, unveiled on Thursday in Brussels, seeks to establish itself as a global leader by mandating cybersecurity standards for all products with digital components, also known as the Internet of Things, and by educating consumers about the cybersecurity implications of the products they purchase.
“When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain,” Commissioner for the Internal Market Thierry Breton stated. He further said that hundreds of millions of linked gadgets, such as computers, phones, home appliances, virtual assistance devices, vehicles, toys, etc., can potentially be a point of entry for a cyberattack. Yet today’s majority of hardware and software products are exempt from any cyber security requirements. The Cyber Resilience Act will assist in safeguarding Europe’s economy and our collective security by establishing cybersecurity by design.
Data from the Commission reveals that a ransomware attack occurs every 11 seconds. In 2017, the cost of cybercrime was predicted to reach €5.5 trillion globally, with the economic effect of ransomware attacks totaling roughly €20 billion worldwide. With respect to designing and developing their products, manufacturers will be required by the Commission’s proposals to consider cybersecurity. They will also need to ensure that any vulnerabilities are effectively addressed for the anticipated product lifetime or five years, whichever is shorter.
Along with providing security upgrades for at least five years and “clear and understandable instructions” for using items with digital components, they will also need to report exploited vulnerabilities and occurrences actively. Manufacturers violating the law will risk having their goods permanently or temporarily banned from the Single Market and a punishment ranging from 2% to 5% of worldwide sales. After receiving final approval from Parliament and the Council, the proposed legislation must be implemented two years later.
Ursula Pachl, deputy director general of the consumers’ umbrella organization, The European Consumer Organisation (BEUC), hailed the plan as “really good news for consumers.” She said that insufficient cybersecurity on connected devices, like smart door locks, baby monitors, toys, washing machines, and fridges, may be a big concern for our society and economy because key infrastructure may quickly be disrupted if anything gets hacked. The Commission’s decision to finally put this idea on the table is crucial.
In response to the Commission’s proposals, MEP Dr. Patrick Breyer of the German Pirate Party said that it is long overdue to finally hold commercial manufacturers accountable for the threat posed by “insecure technology.” He also called for a change, claiming that the concept is flawed in some ways and goes too far in others.
“On the one hand, there is a lack of a clear obligation for commercial manufacturers to immediately fix known security gaps. Commercial manufacturers must be held liable for self-inflicted security loopholes in order to make IT security financially worthwhile! On the other hand, the voluntary development of free software is threatened because the same requirements are to be placed on commercial producers and on volunteers,” he explained.