Cybersecurity is a major challenge for the European Union, as cyberattacks pose a serious threat to its economy, security, and democracy. According to the EU, a ransomware attack takes place every 11 seconds, and the global annual cost of cybercrime is estimated at 5.5 trillion euros in 2021. In Europe alone, cyberattacks cost between 180 and 290 billion euros each year.
The COVID-19 pandemic has also increased the vulnerability of the EU, as more people and businesses rely on digital services and networks. Moreover, the ongoing conflict between Russia and Ukraine has raised concerns that European energy infrastructure could also be targeted amid a global energy crunch.
To address these challenges, the EU’s executive arm, the European Commission, proposed new legislation on Thursday that would force manufacturers to ensure that devices connected to the internet meet cybersecurity standards, making the 27-nation bloc less vulnerable to attacks.
The law, proposed as the Cyber Resilience Act, aims to remove from the EU market all products with digital elements that are not adequately protected. This includes computers, phones, household appliances, virtual assistance devices, cars, toys, and many more.
The EU’s executive commission said the law would not only reduce attacks but also benefit consumers since it will improve data and privacy protection.
“When it comes to cybersecurity, Europe is only as strong as its weakest link, be it a vulnerable member state or an unsafe product along the supply chain,” said Thierry Breton, the EU commissioner for the internal market.
“Each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack.”
Breton said most hardware and software products are currently not subject to any cybersecurity obligations. If adopted, the regulation would require manufacturers to take into account cybersecurity in the design and development of their devices. Companies would remain responsible for the security of products throughout their expected lifetime, or a minimum of five years.
Market authorities will have the power to withdraw or recall non-compliant devices and to fine companies that will not abide by the rules.
The proposed law has been welcomed by some industry groups, such as the Computer and Communications Industry Association (CCIA), which represents computer, communications and internet industry firms. They said the commission’s goal of improving cyber resilience is commendable, but they also expressed some concerns about the draft law.
“These cybersecurity rules should strive to weed out bad products from the EU market, but the current … proposal would lead to innovative products piling up in waiting rooms before they can be used by Europeans,” CCIA Europe Public Policy Director Alexandre Roure said.
“Instead, the new rules should recognize globally accepted standards and facilitate cooperation with trusted trade partners to avoid duplicate requirements.”
The Cyber Resilience Act will now be discussed by the European Parliament and the Council of the EU, which represents the member states. The EU hopes to adopt the law by the end of 2024.
0 Comments