The European Commission is pressing ahead with plans for new rules that aim to impose new cybersecurity requirements on all manner of connected devices, including smartphones.

First announced by EC president Ursula von der Leyen in her State of the Union Address in September 2021, the European Cyber Resilience Act (CRA) intends to "establish common cybersecurity rules for digital products and associated services that are placed on the market across the European Union."

Figure 1: Cyber Resilience Act could impose fines of up to €15 million ($14.9 million) for serious violations of new rules.
(Source: Andrey Kuzmin/Alamy Stock Photo)

A ten-week public consultation on the proposed rules was completed in May and the commission is expected to publish the new act on September 13.

The Financial Times and Bloomberg seem to have gained a sneak peek of the draft proposal. The US news agency said the rules indicate that providers of Internet-connected technology and devices will have to meet the new cybersecurity requirements in the European Union or face fines and possibly have the product taken off the market.

According to Bloomberg, fines for violating an essential part of the regulation proposal could reach €15 million ($14.9 million), or 2.5% of a company's worldwide annual revenue, whichever is highest. Less serious violations could incur fines of €10 million/2% ($9.9 million) or €5 million/1% ($4.9 million).

Wild west of IoT

Such rules and fines may sound draconian, but it has long been acknowledged that the Internet of Things (IoT), in particular, is "the new technological wild west," as described last year by Tanner Johnson, a senior cybersecurity analyst at Omdia.

In a blog, Dr2 Consultants notes that hardware manufacturers, software developers, distributors and importers "often do not put in place adequate cybersecurity safeguards when placing digital products or services on the market."

The consultancy further explains that the CRA "introduces horizontal cybersecurity requirements, which will protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of digital products such as routers, connected cameras, and smartphones, and associated services such as software on phones or in vehicles."

The EC said the CRA will complement the existing EU legislative framework, which includes the Directive on the security of Network and Information Systems (NIS Directive) and the Cybersecurity Act, as well as the future Directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020.

Related posts:

— Anne Morris, contributing editor, special to Light Reading