The EU has drafted a bill to improve the security of devices connected to the Internet. If a law is passed, manufacturers of various electronics, from smartphones to smart domestic appliances, will be obliged to bring their decision to the standard of cyber security, otherwise they may be forced to pay large fines or to remove goods completely from the market.
According to the text of the draft Cybersecurity Act, drafted by the European Commission and being prepared for publication next week, the purpose of the new measures is to protect against a growing number of online attacks.
Domestic appliances and other household appliances are increasingly equipped with sensors and communication modules, forming the Internet of things. According to the draft law, such products may have low levels of cyber security due to the high number of vulnerabilities and the lack of timely updates to address them. In addition, manufacturers can provide users with unreliable information about the level of protection of devices.
In a network environment, a safety incident involving a single product may endanger the safety of an entire organization or chain of suppliers within minutes; this may lead to serious disruptions in economic and/or social processes, or even endanger people ' s health and lives; under the EU proposed regulations, products will have to comply with a number of standards to obtain a permit mark for sale in the region; the new regulations will not apply to open hardware as long as it is not intended for sale.
The European Cybersecurity Agency or EU countries, at the request of the European Commission, will be able to investigate any device for compliance with accepted standards. Even if it is formally in line with the standards, specialists may recognize it as "a significant threat to cybersecurity" and as a threat to human health and safety, as well as incompatible with their fundamental rights. ENISA will also provide a framework of vulnerability to help assess cross-border attacks.
If the device does not meet the new standards, national regulators may declare it withdrawn or a total ban on the market; in exceptional cases, the European Commission may also do so.
Fines for violations of the law can be as high as Euro15 million, or 2.5 per cent of the company's annual global income, depending on what is higher. Less serious violations can be punished with fines of up to Euro10 million, or 2 per cent of the income. If it turns out that the company provides incomplete or misleading information, it can be fined Euro5 million, or 1 per cent of the annual income.
In the European Commission, it is projected that, if adopted, the law would save 180-290 billion euros annually; however, companies and authorities would have to spend some 29 billion euros to bring electronics into line with the new regulations and streamline the regulatory framework.