The European Union (EU) is ready to crack down on shoddy device security with significant new legislation.
The proposed "Cyber Resiliency Law" will ensure that all devices connected "directly or indirectly to another device or network," including everything from refrigerators to smartwatches, will have to comply with a new set of cybersecurity standards.
The price of non-compliance is quite high, companies could face fines of up to €15 million ($15 million) or up to 2,5% of their total worldwide turnover if they fail to comply.
What does this mean for companies?
Manufacturers will now be required to report all known actively exploited vulnerabilities and incidents.
The proposed regulation will also reinforce the obligation of manufacturers to keep consumers informed, ensuring that they "enable consumers with sufficient information about the cybersecurity of the products they buy and use."
Manufacturers will also be required to provide regular security support and software updates to address new vulnerabilities.
The new rules will not apply to devices whose cybersecurity requirements are already defined in existing EU rules, such as medical devices, aviation technology and cars.
The claim is that compliance costs could amount to up to €29 billion in compliance costs, ultimately saving companies €290 billion per year in cyber incidents.
It is no surprise that the EU chooses to crack down on device security, it has been shown to be a serious and ongoing problem, and cybercriminals around the world are turning to IoT devices as endpoints.
Consumer Law Group Which? built a house full of smart devices and logged 12 unique scan and attack attempts in its first month targeting them.
Device security generally doesn't seem to be something consumers focus on as a priority, at least according to BlackBerry research.
Of more than three-quarters (77%) of smart home devices purchased in the last two years, less than a third (30%) of German and Dutch homeworkers who own a smart device said security was one of them. of the three main factors. during these purchases.
"We deserve to feel safe in the products we buy in the single market. Just as we can trust a CE-marked toy or fridge, the Cyber Resilience Act will ensure that the connected objects and software we buy adhere to strong cybersecurity. .safeguards," said Margrethe Vestager, Executive Vice President for Digital Agenda at the European Commission. "It will put the responsibility where it belongs, with those who bring products to market."
It is not just the EU that is ready and willing to crack down on device security.
A UK government 'Security by Design' bill covering smart device security appeared as early as 2019.