EU’s Cyber Resilience Act Plans to Augment Security for IoT

The European Union has released additional details of its Cyber Resilience Act (CRA), proposed cybersecurity rules initially introduced last year aimed at the growing number of smart devices and the Internet of Things. The goal is to introduce effective regulations that would help curb surging cyberattacks. Major tech companies from Apple to Amazon and LG would need to meet strict new standards in the connected electronics space or face significant fines that could run as high as the greater of $15 million or 2.5 percent of a company’s worldwide revenue.

“In an interconnected single market, we are only as strong as the weakest link,” EU Internal Market Commissioner Thierry Breton wrote last year, when cyberattacks caused $6 trillion in global damages, according to Bloomberg.

“In a connected environment, a cybersecurity incident in one product can affect an entire organization or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruptions of economic and social activities or even become life threatening,” Bloomberg quoted from a draft of the CRA.

The regulations seek to bring order to what many view as an untamed frontier: smart appliances, media devices and home office equipment that contain sensors and are connected to the Internet.

“These products can have la low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them,’” providing users “with ‘insufficient’ information on their level of protection,” Bloomberg writes, quoting the draft.

“Under the proposed EU rules, products will have to meet various cyber standards to receive an approval marking and be sold regionally. Open-source devices wouldn’t have to meet these rules unless they are marketed commercially,” according to Bloomberg, which says “EU countries — or the EU’s cyber agency, when asked by the commission — will be able to investigate any device sold in the region for noncompliance.”

In addition to the high-end fines, “less serious violations could lead to fines of 10 million euros or 2 percent of global yearly sales,” Bloomberg reports, adding that “if a company is found providing ‘incorrect, incomplete or misleading’ information, it could be fined 5 million euros, or up to 1 percent of annual revenue.” The European Union Agency for Cybersecurity (ENISA) will be administering the new regulations.

“If everything is connected, everything can be hacked,” European Commission President Ursula von der Leyen said in her State of the Union address last year. “This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act.”

Belgian consultancy Dr2 writes in its blog that after the proposal goes public on September 13 a committee will be assigned to draft a CRA report for the European Parliament, and the EU ministers will meet to discuss it on December 6.

The CRA “will complement the existing EU legislative framework,” which includes NIS Directive and the Cybersecurity Act, “as well as the future directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020,” says TechHQ.

No Comments Yet

You can be the first to comment!

Sorry, comments for this entry are closed at this time.