The European Commission presented a new proposal for a cyber-resilience law on Thursday that aims to impose new cybersecurity requirements on internet-connected devices, ranging from “smart” toys and fridges to security cameras.
Manufacturers of digitally connected products would have to meet the new EU requirements, whether the products are made in the EU or not. The law would ensure that products bearing the CE mark meet a minimum level of cybersecurity checks. Sensitive products that break the rules face fines of up to €15 million, or 2.5% of global turnover, whichever is higher.
“We need to protect our computing space, our cyberspace and our internal market,” EU Internal Market Commissioner Thierry Breton said, showing an internet-connected camera and warning that such a device could present risks of hacking and even abuse. state-sponsored espionage.
A schedule attached to the legislation explains how there would be two categories of products: one for critical products, which will cover around 10% of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to carry out a self-assessment indicating that a product meets cybersecurity standards. For those that may pose a significant cybersecurity risk, a manufacturer will need to demonstrate that they meet the requirements with a national authority or through a third-party assessment.
For mobile phones, for example, “the cybersecurity elements of a product like this are beyond regulation. And that’s what we’re going to get into,” said Margaritis Schinas, Commission Vice-President responsible for security policy.
Under the new law, the Commission would also have the power to order the European Cybersecurity Agency ENISA to assess whether a product poses a “significant risk to cybersecurity” and to recall a product if it does. .
The new draft law still needs to be considered by the European Parliament and the Council of the EU before becoming law.
#proposes #cyber #law #fix #uneven #Internet