The EU will soon have a Cyber Resilience Act aimed at connected devices

Introduced in September 2021 by European Commission President Ursula von der Leyen, the Act seeks to establish common cybersecurity rules for digital products and associated services that are placed o
8 September 2022

The EU will soon have a Cyber Resilience Act aimed at connected devices. Here’s what we know so far. European Commission President Ursula von der Leyen delivers a speech during a debate on “The State of the European Union” as part of a plenary session in Strasbourg on September 15, 2021. (Photo by YVES HERMAN / POOL / AFP)

  • The Cyber Resilience Act, set to go public next week, would require products to meet various cyber standards to receive an approval marking and be sold regionally.
  • Open-source devices wouldn’t have to meet these standards unless they are marketed commercially.
  • The European Union Agency for Cybersecurity will also set up a vulnerability database to help assess cross-border attacks. 

The Internet of Things (IoT) ecosystem is growing rapidly, promising a smarter way to live. For some connected devices have become more than convenient fixtures; they’re necessities. The catch? As each day passes and more connected devices are put online, cybercriminals find new ways to exploit them. The European Commission (EC) is aware of that, especially since the pandemic that saw the rise of cyberattacks on IoT devices, so it decided on a Cyber Resilience Act for the region.

For context, damages from software and hardware cybercrime amounted to roughly $6 trillion last year alone, according to the head of Italian defense, security and aerospace giant Leonardo. One fifth of the total number of attacks was directed at Europe itself. The new rules from the EC, which are set to become public next week, are aimed at improving the security of devices in the face of the surge in online attacks across the globe. 

In general, “IoT devices” refers to the rapidly growing number of physical devices capable of connecting to the internet. Embedded with sensors and software capable of collecting and sharing data online, the nature of IoT devices’ connectivity unfortunately leaves room for malicious actors to take advantage.

First announced by President von der Leyen in her State of the Union Address in September 2021, the Cyber Resilience Act seeks to establish common cybersecurity rules for those IoT devices and associated services that are placed on the market across the European Union. “If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. This is why we need a European Cyber Defense Policy, including legislation setting common standards under a new European Cyber Resilience Act.”

The Act will complement the existing EU legislative framework, which includes the Directive on the security of Network and Information Systems (NIS Directive) and the Cybersecurity Act, as well as the future Directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020.

“In a connected environment, a cybersecurity incident in one product can affect an entire organization or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes,” the draft said, according to Bloomberg. “This can lead to severe disruptions of economic and social activities or even become life threatening.”

What does the Cyber Resilience Act entail?

Under the proposed EU rules, products will have to meet various cyber standards to receive an approval marking and be sold regionally. Open-source devices wouldn’t have to meet these standards unless they are marketed commercially. All EU countries — or the EU’s cyber agency, when asked by the Commission — will be able to investigate any device sold in the region for noncompliance. 

Even if they meet the cyber rules, they may still be found to “present a significant cybersecurity risk,” to risk people’s health and safety, or to fail to comply with fundamental rights. Separately, the European Union Agency for Cybersecurity will be setting up a vulnerability database to help assess cross-border attacks. 

Should a device not meet the new standards, national regulators, or the Commission in exceptional circumstances, can have a product recalled or completely taken off the market in the EU. Fines for violating an essential part of the regulation proposal could reach 15 million euros (US$15 million), or 2.5% of a company’s worldwide annual revenue, whichever is highest. Less serious violations could lead to fines of 10 million euros or 2% of global yearly sales.

If a company is found providing “incorrect, incomplete or misleading” information, it could be fined 5 million euros, or up to 1% of annual revenue. The Commission even predicts that the proposal will save 180-290 billion euros each year. Companies and public authorities will have to spend an estimated 29 billion euros to comply with and enforce the new cyber rules.