Is your device the weakest link? EU plans crackdown

As we flagged last week, the European Commission has set out how it plans to tackle the problem of securing millions of connected devices that were built and sold with little or no security protection whatsoever.

The executive body of the European Union (EU) finally published a draft version of the new Cyber Resilience Act that aims to boost the security of software and connected devices. That includes smartphones, as pointed out by Thierry Breton, commissioner for the internal market.

Figure 1: Companies that violate the new Cyber Resilience Act could face fines of up to €15 million or 2.5% of annual revenue.
(Source: Andrey Kuzmin/Alamy Stock Photo)

Breton noted that when it comes to cybersecurity, "Europe is only as strong as its weakest link: be it a vulnerable member state, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of million connected products is a potential entry point for a cyberattack."

The commission also cites a report that estimates ransomware attacks hit an organization every 11 seconds around the globe, with the estimated global annual cost of cybercrime reaching €5.5 trillion (US$5.49 trillion) in 2021.

A fine mess

It seems something of a scandal that companies have been able to roll out so many products without built-in security. The introduction of new rules now may seem akin to slamming the door shut after the horse has bolted. Nevertheless, the commission is certainly going to have a good stab at making sure developers and manufacturers change their approach to security in future.

The proposed penalties for violations of the new rules are certainly fairly steep, and are clearly designed to make manufacturers and developers take good note. For example, those that breach the essential cybersecurity requirements and obligations will be fined up to €15 million ($14.9 million) or 2.5% of global annual revenue, whichever is higher.

Want to know more? Sign up to get our dedicated newsletters direct to your inbox.

Companies could also be fined up to €10 million ($9.9 million) or 2% of revenue for less serious violations. Those providing "incorrect, incomplete or misleading" information could face fines of up to €5 million ($4.9 million) or 1% of revenue.

The European Parliament and the Council will now examine the draft Cyber Resilience Act. Once adopted, companies and member states will have two years to adapt to the new requirements.

Related posts:

— Anne Morris, contributing editor, special to Light Reading