Skip to content

Illustration by Security Management; iStock

EU Poised to Introduce Cybersecurity Rules for IoT Devices

The European Union Commission is poised to introduce new rules that would require Internet of Things (IoT) devices to meet cybersecurity standards or potentially be banned from the market.

The new rules are part of the Cyber Resilience Act, which Reuters obtained an advance copy of this week. In the draft legislation—which is expected to be introduced on Tuesday, 13 September—the commission would require manufacturers to “assess the cybersecurity risks of their products and take appropriate measures to fix problems” to be able to sell them within the EU, Reuters reports. Manufacturers are also required to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of a cybersecurity issue and take steps to remedy it.

“If companies do not comply, national surveillance authorities can ‘prohibit or restrict that product being made available on its national market, to withdraw it from that market, or recall it,’” according to Reuters' review of the draft.

The new rules would seek to stem some of the damage that crime leveraging software and hardware systems have caused in recent years as the number of IoT devices proliferates, reports Bloomberg, which also received the draft. 

“In a connected environment, a cybersecurity incident in one product can affect an entire organization or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes,” according to the draft Bloomberg analyzed. “This can lead to severe disruptions of economic and social activities or even become life threatening.”

An additional measure within the proposed rules includes allowing EU members or ENISA to review devices sold in the bloc to ensure compliance, potentially removing it from the market or issuing fines to the manufacturer. ENISA would also be required to create a vulnerability database to assess the impact of cyberattacks that cross borders.

“The commission predicts that the proposal will save 180 billion euros to 290 billion euros each year,” according to Bloomberg. “However, companies and public authorities will have to spend an estimated 29 billion euros to comply with and enforce the new cyber rules.”

The European Commission is expected to pass the legislation after it’s formally introduced. The initiative was open for public feedback from 16 March until 25 May, which more than 100 individuals and organizations provided.

The Cybersecurity Coalition, composed of companies that specialize in providing cybersecurity products and services, pushed back in its public comment on the proposed rules, calling the objectives and policy options too broad and lacking clarity on what issues the rules attempt to address. 

“…There is a lack of technical and independent evidence to assess that ‘one product can affect an entire organization or a whole supply chain,’” the coalition wrote. “In fact, most publicly reported cyber incidents are a combination of poor information security practices, failures to appropriately update in a timely manner, individual error, and even malfeasance.”

European Commission President Ursula von der Leyen first mentioned the Cyber Resilience Act in September 2021 as part of a broader effort to create common cybersecurity rules for the EU market, TechHQ reports. 

“If everything is connected, everything can be hacked,” von der Leyen said in her 2021 State of the Union Address. “Given that resources are scarce, we have to bundle our forces. This is why we need a European Cyber Defense Policy, including legislation setting common standards under a new European Cyber Resilience Act.”