Wednesday

28th Feb 2024

Cyber-risk from Internet of Things prompts new EU rules

  • It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe (Photo: European Commission)
Listen to article

Manufacturers selling smart devices connected to the internet in the EU internal market will have to comply with certain cybersecurity standards under a new bill announced by the European Commission on Thursday (15 September).

Firms making digitally-connected items such as security cameras, toys, cars, fridges or even mobile apps, will face fines of up to up to €15m or 2.5 percent of their global turnover if found in breach of the new rules — but which still need the approval of EU countries and MEPs.

Read and decide

Join EUobserver today

Get the EU news that really matters

Instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

The new rules come amid widespread concern over the increasing number of cyberattacks and data breaches last year when remote work and lockdowns drove up worldwide internet traffic.

With more-and-more connected devices coming onto the market, these new EU requirements aim to minimise the cybersecurity risks that such devices entail.

"As we approach this era of Internet of Things where all of us will be almost permanently interconnected with devices and appliances, this [law] becomes more urgent than ever," said commission vice-president Margaritis Schinas.

New rules could reduce up to €290bn in costs from cyber incidents affecting companies, the EU executive said.

It is estimated that every 11 seconds there is a ransomware attack targeting an organisation across the globe — a dark criminal business with an estimated cost of €20bn in 2021. Overall, cybercrime had a global cost of €5.5 trillion in 2021.

"We need to protect our digital space," EU internal market commissioner Thierry Breton said, warning that an innocuous babysitting camera can be hacked by individuals or be used for espionage by third countries.

"You're supposed to use it to look after your dog or see what your children are up to. But who knows what is then done with that data, who can use it or who can exploit it?," he added.

Under new rules, manufacturers will have to take cybersecurity into account throughout the whole supply chain, listing all cybersecurity risks in order to inform consumers.

Notification inside 24 hours

They will also have to notify the EU cybersecurity agency (ENISA — European Union Agency for Cybersecurity) about any vulnerabilities or attacks within 24 hours once they are spotted, fix the incidents and provide users with security updates at least for five years.

"We try to rebalance the responsibility towards manufacturers who must ensure that they put in the market products that are digitally secure," said Schinas.

The draft law separates products falling under the scope of the legislation into two categories: namely, a group of some 10 percent of critical products considered "high-risk" and a larger group of other products considered low-risk.

Manufacturers of high-risk products, including critical software and industrial operating systems, among a long list of examples, will have to demonstrate to national authorities whether the specified cyber requirements relating to a product have been met. Firms producing low-risks products will be only requested to carry out a self-assessment.

If companies fail to comply with the rules, national authorities would be able to ban or restrict the entrance of such products onto the EU market.

Brussels Bytes

EU e-privacy proposal risks breaking 'Internet of Things'

EU policymakers need to clarify that the e-privacy should not apply to most Internet of Things devices. The current proposal require explicit user consent in all cases - which is not practical.

Magazine

To lead in cyberspace, the EU needs to avoid digital tribalism

To avoid digital tribalism the EU needs a strategy to better engage with the Global South, including the emerging digital powers such as Brazil, Egypt, Ghana, India, Indonesia, Jamaica, Kenya, Mexico, Singapore, South Africa, and Senegal.

Opinion

Can Europe protect its underwater cables from sabotage?

The sabotage of the Nord Stream pipelines was the first major attack on European maritime infrastructure. But while the EU Commission has a critical infrastructure directive in the works, it largely focuses on cybersecurity —not physical attacks.

Opinion

The AI Act — a breach of EU fundamental rights charter?

"I hope MEPs will not approve the AI Act in its current text," warns a senior EU civil servant, writing anonymously. The normalisation of arbitrary 'algorithmic' intrusions on our inner life provides a legacy of disregard for human dignity.

Opinion

Why are German armed forces spying on domestic citizens?

It is not widely-known that the German armed forces carry out reconnaissance activities. Despite involving around 7,000 personnel, the German government does not consider the Bundeswehr is running an intelligence service, thus there is barely any control or legal oversight.

Latest News

  1. Podcast: Hyperlocal meets supranational
  2. Von der Leyen appeals for 'new EU defence mindset'
  3. EU supply chain law fails, with 14 states failing to back it
  4. Joined-up EU defence procurement on the horizon?
  5. Macron on Western boots in Ukraine: What he really meant
  6. Amazon lobbyists banned from EU Parliament
  7. MEPs adopt new transparency rules for political ads
  8. EU nature restoration law approved after massive backlash

Stakeholders' Highlights

  1. Nordic Council of MinistersJoin the Nordic Food Systems Takeover at COP28
  2. Nordic Council of MinistersHow women and men are affected differently by climate policy
  3. Nordic Council of MinistersArtist Jessie Kleemann at Nordic pavilion during UN climate summit COP28
  4. Nordic Council of MinistersCOP28: Gathering Nordic and global experts to put food and health on the agenda
  5. Friedrich Naumann FoundationPoems of Liberty – Call for Submission “Human Rights in Inhume War”: 250€ honorary fee for selected poems
  6. World BankWorld Bank report: How to create a future where the rewards of technology benefit all levels of society?

Stakeholders' Highlights

  1. Georgia Ministry of Foreign AffairsThis autumn Europalia arts festival is all about GEORGIA!
  2. UNOPSFostering health system resilience in fragile and conflict-affected countries
  3. European Citizen's InitiativeThe European Commission launches the ‘ImagineEU’ competition for secondary school students in the EU.
  4. Nordic Council of MinistersThe Nordic Region is stepping up its efforts to reduce food waste
  5. UNOPSUNOPS begins works under EU-funded project to repair schools in Ukraine
  6. Georgia Ministry of Foreign AffairsGeorgia effectively prevents sanctions evasion against Russia – confirm EU, UK, USA

Join EUobserver

EU news that matters

Join us