From laptops to fridges to mobile apps, smart devices connected to the internet will have to assess their cybersecurity risks and fix them under draft European Union rules announced on Thursday, amid concerns about a spate of cyber attacks.
Companies face fines of as much as 15 million euros ($15 million) or up to 2.5 per cent of their total global turnover if they fail to do so under the European Commission’s proposed law known as the Cyber Resilience Act.
Companies could save as much as 290 billion euros annually in cyber incidents versus compliance costs of about 29 billion euros, the EU executive said.
A series of high-profile incidents of hackers damaging businesses and demanding huge ransoms in recent years have heightened concerns about vulnerabilities in operating systems, network equipment and software.
“It (the Act) will put the responsibility where it belongs, with those that place the products on the market,” EU digital chief Margrethe Vestager said in a statement.
EU industry chief Thierry Breton pointed to numerous devices that are vulnerable to hacking.
“Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack,” he said.
Manufacturers will have to assess the cybersecurity risks of their products and take appropriate procedures to fix problems for a period of five years or during the expected lifetime of the product.
The companies will have to notify EU cybersecurity agency ENISA of incidents within 24 hours once they are aware of issues, and take measures to resolve them.
Importers and distributors will be required to verify that products conform with EU rules.
If companies do not comply, national surveillance authorities can prohibit or restrict a given product from being made available on its national market.
The draft rules will need to be agreed with EU countries and EU lawmakers before they can become law.