Monday

2nd Oct 2023

Cyber-risk from Internet of Things prompts new EU rules

  • It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe (Photo: European Commission)
Listen to article

Manufacturers selling smart devices connected to the internet in the EU internal market will have to comply with certain cybersecurity standards under a new bill announced by the European Commission on Thursday (15 September).

Firms making digitally-connected items such as security cameras, toys, cars, fridges or even mobile apps, will face fines of up to up to €15m or 2.5 percent of their global turnover if found in breach of the new rules — but which still need the approval of EU countries and MEPs.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

The new rules come amid widespread concern over the increasing number of cyberattacks and data breaches last year when remote work and lockdowns drove up worldwide internet traffic.

With more-and-more connected devices coming onto the market, these new EU requirements aim to minimise the cybersecurity risks that such devices entail.

"As we approach this era of Internet of Things where all of us will be almost permanently interconnected with devices and appliances, this [law] becomes more urgent than ever," said commission vice-president Margaritis Schinas.

New rules could reduce up to €290bn in costs from cyber incidents affecting companies, the EU executive said.

It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe — a dark criminal business with an estimated cost of €20bn in 2021. Overall, cybercrime had a global cost of €5.5 trillion in 2021.

"We need to protect our digital space," EU internal market commissioner Thierry Breton said, warning that an innocuous babysitting camera can be hacked by individuals or be used for espionage by third countries.

"You're supposed to use it to look after your dog or see what your children are up to. But who knows what is then done with that data, who can use it or who can exploit it?," he added.

Under new rules, manufacturers will have to take cybersecurity into account throughout the whole supply chain, listing all cybersecurity risks in order to inform consumers.

Notification inside 24 hours

They will also have to notify the EU cybersecurity agency (ENISA — European Union Agency for Cybersecurity) about any vulnerabilities or attacks within 24 hours once they are spotted, fix the incidents and provide users with security updates at least for five years.

"We try to rebalance the responsibility towards manufacturers who must ensure that they put in the market products that are digitally secure," said Schinas.

The draft law separates products falling under the scope of the legislation into two categories: namely, a group of some 10 percent of critical products considered "high-risk" and a larger group of other products considered low-risk.

Manufacturers of high-risk products, including critical software and industrial operating systems, among a long list of examples, will have to demonstrate to national authorities whether the specified cyber requirements relating to a product have been met. Firms producing low-risks products will be only requested to carry out a self-assessment.

If companies fail to comply with the rules, national authorities would be able to ban or restrict the entrance of such products onto the EU market.

Brussels Bytes

EU e-privacy proposal risks breaking 'Internet of Things'

EU policymakers need to clarify that the e-privacy should not apply to most Internet of Things devices. The current proposal require explicit user consent in all cases - which is not practical.

Magazine

To lead in cyberspace, the EU needs to avoid digital tribalism

To avoid digital tribalism the EU needs a strategy to better engage with the Global South, including the emerging digital powers such as Brazil, Egypt, Ghana, India, Indonesia, Jamaica, Kenya, Mexico, Singapore, South Africa, and Senegal.

Opinion

Can Europe protect its underwater cables from sabotage?

The sabotage of the Nord Stream pipelines was the first major attack on European maritime infrastructure. But while the EU Commission has a critical infrastructure directive in the works, it largely focuses on cybersecurity —not physical attacks.

AI will destroy more female jobs than male, study finds

About four percent of global female employment is subject to potential automation through generative AI technologies, compared to only 1.4 percent of male employment. The trend is even more pronounced in high-income countries, a new study reveals.

Column

EU lobbying clean-up — what happened to that?

Six months after Qatargate, as institutional inertia and parliamentary privileges weigh in, the sense of gravity and collective resolve have all but disappeared. MEPs show little enthusiasm for reform of the rules that today allow them significant outside paid activities.

Latest News

  1. Slovak's 'illiberal' Fico victory boosts Orban, but faces checks
  2. European Political Community and key media vote This WEEK
  3. Is the ECB sabotaging Europe's Green Deal?
  4. The realists vs idealists Brussels battle on Ukraine's EU accession
  5. EU women promised new dawn under anti-violence pact
  6. Three steps EU can take to halt Azerbaijan's mafia-style bullying
  7. Punish Belarus too for aiding Putin's Ukraine war
  8. Added-value for Russia diamond ban, as G7 and EU prepare sanctions

Stakeholders' Highlights

  1. Nordic Council of MinistersThe Nordic Region is stepping up its efforts to reduce food waste
  2. International Medical Devices Regulators Forum (IMDRF)Join regulators, industry & healthcare experts at the 24th IMDRF session, September 25-26, Berlin. Register by 20 Sept to join in person or online.
  3. UNOPSUNOPS begins works under EU-funded project to repair schools in Ukraine
  4. Georgia Ministry of Foreign AffairsGeorgia effectively prevents sanctions evasion against Russia – confirm EU, UK, USA
  5. International Medical Devices Regulators Forum (IMDRF)Join regulators & industry experts at the 24th IMDRF session- Berlin September 25-26. Register early for discounted hotel rates
  6. Nordic Council of MinistersGlobal interest in the new Nordic Nutrition Recommendations – here are the speakers for the launch

Stakeholders' Highlights

  1. Nordic Council of Ministers20 June: Launch of the new Nordic Nutrition Recommendations
  2. International Sustainable Finance CentreJoin CEE Sustainable Finance Summit, 15 – 19 May 2023, high-level event for finance & business
  3. ICLEISeven actionable measures to make food procurement in Europe more sustainable
  4. World BankWorld Bank Report Highlights Role of Human Development for a Successful Green Transition in Europe
  5. Nordic Council of MinistersNordic summit to step up the fight against food loss and waste
  6. Nordic Council of MinistersThink-tank: Strengthen co-operation around tech giants’ influence in the Nordics

Join EUobserver

Support quality EU news

Join us