EC: Device makers should be responsible for cyber security
September 15, 2022
The European Commission (EC) has opened consultations for a new Cyber Resilience Act aimed at upping the security of internet-connected devices. It proposes manufacturers be responsible for the security of their products throughout their lifecycle.
“Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards […] It will put the responsibility where it belongs, with those that place the products on the market,” said Margrethe Vestager, executive vice-president for the Digital Age.
The act lays out rules for manufacturers wanting to market their products in Europe, with a list of requirements relating to their design, development and production. It also sets out essential requirements for vulnerability handling processes, requiring manufacturers to report actively exploited vulnerabilities and incidents, as well as providing security support and software updates to address identified vulnerabilities throughout a product’s lifecycle.
The act will cover ‘products with digital elements’ – in other words, all products that are connected either directly or indirectly to another device or network.
Potential fines for security protection failures will reach up to €15 million, or 2.5 per cent of worldwide turnover, whichever is higher.