EU proposes rules targeting cybersecurity risks of smart devices
By Foo Yun Chee
BRUSSELS (Reuters) -From laptops to fridges to mobile apps, smart devices connected to the internet will have to be assessed for their cybersecurity risks under draft European Union rules announced on Thursday, amid concerns about a spate of cyber attacks.
Companies face fines of as much as 15 million euros ($15 million) or up to 2.5% of their total global turnover if they fail to comply with the European Commission's proposed law known as the Cyber Resilience Act, which will require manufacturers to fix any problems that are identified.
Companies could save as much as 290 billion euros annually in cyber incidents versus compliance costs of about 29 billion euros, the EU executive said.
A series of high-profile incidents of hackers damaging businesses and demanding huge ransoms in recent years have heightened concerns about vulnerabilities in operating systems, network equipment and software.
"It (the Act) will put the responsibility where it belongs, with those that place the products on the market," EU digital chief Margrethe Vestager said in a statement.
Manufacturers will have to assess the cybersecurity risks of their products and take appropriate action to fix problems for a period of five years or during the expected lifetime of the product.
The companies will have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them.
Importers and distributors will have to verify that products conform with EU rules.
The Computer & Communications Industry Association (CCIA Europe) warned that the resulting red tape from the approval process could hamper the roll-out of new technologies and services in Europe.
"Instead the new rules should recognise globally-accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements," Public Policy Director Alexandre Roure said.
If companies do not comply with the EU's rules, national surveillance authorities can prohibit or restrict a product from being made available to their national markets.
The draft rules will need to be agreed with EU countries and EU lawmakers before they can become law.
($1 = 1.0013 euros)
(Reporting by Foo Yun Chee; editing by Philip Blenkinsop and Elaine Hardcastle)