EU proposes security standards for IoT products

European Union lawmakers introduced new security standards Thursday for internet-connected products — from smartphones to fridges — as the bloc attempts to address the growing threat posed by cyberattacks.

The proposed Cyber Resilience Act (CRA) introduces several key measures including basic security requirements for products to be considered safe for the market and obligations on their manufacturers about handling vulnerabilities after any are discovered.

The CRA requires companies to have mechanisms to fix any flaws discovered in their devices after they have been sold to consumers for a period of up to five years, or at least during the expected lifetime of the product. Devices which don’t meet these standards could be taken off the market and the manufacturers could face fines of €15 million or 2.5% of their global annual revenue for failing to comply with the rules.

Manufacturing and design practices mean many Internet of Things (IoT) products introduce additional risks to the home and business networks they’re connected to. In one often-cited case described by Darktrace, hackers were allegedly able to steal data from a casino’s otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank.

“When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain,” warned Thierry Breton, the EU’s commissioner for industry.

“Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack,” Breton added on Thursday.

The proposal includes generally forcing manufacturers of “products with digital elements” to design, develop, and produce them “in such a way that they ensure an appropriate level of cybersecurity”.

It will ban companies from delivering products with “any known exploitable vulnerabilities” potentially obliging them to engage in expensive recalls, while also forcing them to report significant incidents of exploitation to ENISA, the EU’s cybersecurity agency.

Manufacturers will also have to include in a machine-readable format a “software bill of materials’’ as part of their vulnerability handling requirements, which will include “at the very least the top-level dependencies of the product”, alongside having to publicly disclose information about fixed vulnerabilities.

The European Commission itself says that cyberattacks targeting hardware and software products cost the global economy €5.5 trillion last year. It says that the CRA’s compliance costs for industry are expected to come to about 10% (€29 billion) of the annual losses (€290 billion) chalked up to cyber incidents inside the bloc.

Similar legislation is being brought forward in the United Kingdom which would ban companies from selling connected devices that share the same default password.

The EU’s proposed legislation will need to be agreed on by member state representatives in the European Council and then legislators in the European Parliament before it becomes law.

The proposal follows a public consultation launched by the Commission earlier this year, which generally received support from industry bodies. It is expected to pass without significant amendments.

At that point, member states and manufacturers will have two years to adapt to the requirements — except for the mandatory reporting obligation for manufacturers, who will only have a year to get their processes in place to disclose actively exploited vulnerabilities and incidents to ENISA.