On Thursday, the European Union’s executive arm proposed new legislation that would force manufacturers to ensure internet-connected devices meet cybersecurity standards, making the 27-nation bloc less vulnerable to attack.
The EU said a ransomware attack occurs every 11 seconds, and the global annual cost of cybercrime is estimated at €5.5 trillion in 2021. According to EU officials, in Europe, cyberattacks cost between €180 billion and 290 billion euros each.
The European Commission said an increase in cyberattacks had been witnessed during the coronavirus pandemic. Russia’s war in Ukraine has raised concerns that European energy infrastructure could also be a target amid a global energy crisis.
The law, proposed as the Cyber Resilience Act, aims to remove all products with digital elements that are not adequately protected from the EU market.
The EU’s executive commission said the law would not only reduce attacks but also benefit consumers since it would improve data and privacy protection
“When it comes to cybersecurity, Europe is only as strong as its weakest link, be it a vulnerable member state or an unsafe product along the supply chain,” said Thierry Breton, the EU commissioner for the internal market.
“Computers, phones, household appliances, virtual assistance devices, cars, toys… every one of these hundreds of millions of connected products is a potential entry point for a cyberattack.”
Breton said most hardware and software products are currently not subject to cybersecurity obligations.
If adopted, the regulation would require manufacturers to consider cybersecurity in the design and development of their devices. Companies would remain responsible for the security of products throughout their expected lifetime, or a minimum of five years.
Market authorities will have the power to withdraw or recall non-compliant devices and good companies that will not abide by the rules.
The Computer and Communications Industry Association (CCIA), which represents computer, communications and internet industry firms, welcomed the commission’s goal of improving cyber resilience but said the draft law would introduce it unnecessarily.
“These cybersecurity rules should strive to weed out bad products from the EU market, but the current … proposal would lead to innovative products piling up in waiting rooms before Europeans can use them,” CCIA Europe Public Policy Director Alexandre Roure said.
“Instead, the new rules should recognize globally accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements.”