Household products connected to the internet will soon have to be better protected from cyber threats after European Union countries and lawmakers agreed on new legislation on Thursday.
Hailed a world-first, the so-called Cyber Resilience Act will apply to everyday devices and software including baby monitors, smart watches, TVs and video games, in a bid to protect European consumers from cyber and ransomware attacks.
All companies placing hardware or software on the EU market will need to factor cybersecurity into the early stage of designing a product, and will remain responsible for fending off cyber threats throughout its lifecycle by making security updates available to users.
Companies will also be obliged to provide transparent information to customers on a product’s cyber safeguards. If they fail to comply, national authorities will be able to slap hefty fines or remove products from the EU market.
“The Cyber Resilience Act guarantees robust cybersecurity of digital devices in the EU from their conception throughout their lifecycle,” EU internal market commissioner Thierry Breton said on social media platform X.
The rules were first tabled by the European Commission in October 2022, amid a surge in cyber attacks and fears of increased vulnerability following Russia’s invasion of Ukraine.
According to EU data, software supply chain attacks have tripled over the last year, and a ransomware attack takes place every 11 seconds globally.
The rules will enable customers to more easily determine whether products – from toys to fridges to washing machines – comply with high EU cybersecurity standards. Compliant products will bear the so-called ‘CE marking’, while products considered to have a high vulnerability risk will be vetted by third parties.
When a company identifies an incident such as malicious intervention, it will have to alert relevant national authorities within 24 hours, and provide a more comprehensive incident report within 72 hours.
Companies manufacturing within the EU and those importing their products from the outside will be affected, as the bloc aims to crack down on threats posed by malicious foreign actors.
There are growing fears in EU circles that Chinese tech firms are helping the government in Beijing collect troves of sensitive data around the world and its intelligence service is focusing on political targets, including in Brussels.
While the bloc’s concerns mainly relate to digital services and critical, sensitive technologies such as advanced semi-conductors and quantum computing, the increasing share of Chinese-manufactured smart devices on the EU market has also raised fears of vulnerability.
The Cyber Resilience Act will not apply to software provided as a service, such as cloud-based word processing apps including Google Docs.
Source: Euro News