Monday

20th Mar 2023

Cyber-risk from Internet of Things prompts new EU rules

  • It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe (Photo: European Commission)
Listen to article

Manufacturers selling smart devices connected to the internet in the EU internal market will have to comply with certain cybersecurity standards under a new bill announced by the European Commission on Thursday (15 September).

Firms making digitally-connected items such as security cameras, toys, cars, fridges or even mobile apps, will face fines of up to up to €15m or 2.5 percent of their global turnover if found in breach of the new rules — but which still need the approval of EU countries and MEPs.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

The new rules come amid widespread concern over the increasing number of cyberattacks and data breaches last year when remote work and lockdowns drove up worldwide internet traffic.

With more-and-more connected devices coming onto the market, these new EU requirements aim to minimise the cybersecurity risks that such devices entail.

"As we approach this era of Internet of Things where all of us will be almost permanently interconnected with devices and appliances, this [law] becomes more urgent than ever," said commission vice-president Margaritis Schinas.

New rules could reduce up to €290bn in costs from cyber incidents affecting companies, the EU executive said.

It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe — a dark criminal business with an estimated cost of €20bn in 2021. Overall, cybercrime had a global cost of €5.5 trillion in 2021.

"We need to protect our digital space," EU internal market commissioner Thierry Breton said, warning that an innocuous babysitting camera can be hacked by individuals or be used for espionage by third countries.

"You're supposed to use it to look after your dog or see what your children are up to. But who knows what is then done with that data, who can use it or who can exploit it?," he added.

Under new rules, manufacturers will have to take cybersecurity into account throughout the whole supply chain, listing all cybersecurity risks in order to inform consumers.

Notification inside 24 hours

They will also have to notify the EU cybersecurity agency (ENISA — European Union Agency for Cybersecurity) about any vulnerabilities or attacks within 24 hours once they are spotted, fix the incidents and provide users with security updates at least for five years.

"We try to rebalance the responsibility towards manufacturers who must ensure that they put in the market products that are digitally secure," said Schinas.

The draft law separates products falling under the scope of the legislation into two categories: namely, a group of some 10 percent of critical products considered "high-risk" and a larger group of other products considered low-risk.

Manufacturers of high-risk products, including critical software and industrial operating systems, among a long list of examples, will have to demonstrate to national authorities whether the specified cyber requirements relating to a product have been met. Firms producing low-risks products will be only requested to carry out a self-assessment.

If companies fail to comply with the rules, national authorities would be able to ban or restrict the entrance of such products onto the EU market.

Brussels Bytes

EU e-privacy proposal risks breaking 'Internet of Things'

EU policymakers need to clarify that the e-privacy should not apply to most Internet of Things devices. The current proposal require explicit user consent in all cases - which is not practical.

Magazine

To lead in cyberspace, the EU needs to avoid digital tribalism

To avoid digital tribalism the EU needs a strategy to better engage with the Global South, including the emerging digital powers such as Brazil, Egypt, Ghana, India, Indonesia, Jamaica, Kenya, Mexico, Singapore, South Africa, and Senegal.

Opinion

Can Europe protect its underwater cables from sabotage?

The sabotage of the Nord Stream pipelines was the first major attack on European maritime infrastructure. But while the EU Commission has a critical infrastructure directive in the works, it largely focuses on cybersecurity —not physical attacks.

Opinion

Big Tech's attempt to water down the EU AI act revealed

The launch of ChatGPT has sparked a worldwide debate on Artificial Intelligence systems. Amidst Big Tech's proclamations that these AI systems will revolutionise our daily lives, the companies are engaged in a fierce lobbying battle to water-down regulations.

Latest News

  1. 'Symbolic' Putin indictment gets some EU backing
  2. 'Final warning' to act on climate change, warns IPCC
  3. 'No one is unemployable': the French social experiment
  4. Why can't we stop marches glorifying Nazism on EU streets?
  5. Op-ed debate: Should NGOs be subject to stricter transparency regulation?
  6. 'Forever chemicals' industry hit by perfect storm
  7. EU summit zooms in on global roles This WEEK
  8. EU launches 'Hydrogen Bank' — but what is it?

Stakeholders' Highlights

  1. Nordic Council of MinistersNordic and Baltic ways to prevent gender-based violence
  2. Nordic Council of MinistersCSW67: Economic gender equality now! Nordic ways to close the pension gap
  3. Nordic Council of MinistersCSW67: Pushing back the push-back - Nordic solutions to online gender-based violence
  4. Nordic Council of MinistersCSW67: The Nordics are ready to push for gender equality
  5. Promote UkraineInvitation to the National Demonstration in solidarity with Ukraine on 25.02.2023
  6. Azerbaijan Embassy9th Southern Gas Corridor Advisory Council Ministerial Meeting and 1st Green Energy Advisory Council Ministerial Meeting

Join EUobserver

Support quality EU news

Join us