The European Commission has proposed cyber-resilience legislation that could lead to cybersecurity labels and penalties for device manufacturers with shoddy cybersecurity features and practices.
The proposed law covers hardware and software of "products with digital elements" sold in the European Union and connected to any network.
The Cyber Resilience Act (CRA) proposal covers most network-connected devices except medical devices for human use and excludes "free and open-source software developed or supplied outside the course of a commercial activity". What it describes as "high-risk AI systems" and electronic health record systems fall in scope.
SEE: These are the biggest cybersecurity threats. Make sure you aren't ignoring them
Among other requirements, once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), security vulnerabilities are "handled effectively".
Device manufacturers will need to report actively exploited vulnerabilities to Europe's cybersecurity authority ENISA within 24 hours of becoming aware of it, as well as immediately inform users.
The CRA aims to close gaps in current EU legislation and complement the existing Network and Information Systems (NIS Directive), the recently adopted NIS 2 Directive (which covers SaaS and cloud providers), and the EU Cybersecurity Act.
"When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain," said Thierry Breton, commissioner for the internal market.
Breton said that hundreds of millions of computers, phones, household appliances, virtual assistance devices, cars and toys are a potential entry point for a cyberattack. "And yet, today most of the hardware and software products are not subject to any cybersecurity obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe's economy and our collective security."
Once in effect, manufacturers will have 24 months to become compliant. By then, software and connected devices would need to bear the CE marking to indicate compliance with the new cybersecurity standards. National authorities will be able to impose fines of up to