EU Unveils New Regulations For Smart Device Security

European Union (EU) lawmakers have proposed a new set of product rules to apply to smart devices that’s intended to compel makers of Internet-connected hardware — such as ‘smart’ washing machines or connected toys — to pay fulsome attention to device security.

The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle — meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities — the Commission said today.

The draft regulation also has a focus on smart device makers communicating to consumers “sufficient and accurate information” — to ensure buyers able to grasp security considerations at the point of purchase and set up devices securely after purchase.

Penalties proposed by the Commission for non-compliance for “essential” cybersecurity requirements scale up to the higher of €15M or 2.5% of worldwide annual turnover, with other regulation obligation breaches having a maximum sanction of €10M or 2% of turnover.

The EU’s executive said the proposed regulation will apply to all products that are connected “either directly or indirectly to another device or network” — with some exceptions for products for which cybersecurity requirements are already set out in existing EU rules, such as medical devices, aviation and cars.