A range of products, from home appliances and connected toys to computers and software, will require security guarantees and a five-year patch
“When you buy a product it is important that the product does not have known vulnerabilities. This is not the case today,” Thierry Breton, the EU commissioner for the internal market, told reporters on Thursday. The law is a success, he said, Because Europe is the first continent to propose a required cyber security assessment for software.
The legislation will be “a massive undertaking” at significant costs to companies in the form of safety assessments and new processes, said Nils Scherer, a manager in digitization at ZVEI, a consortium of German electrical and digital companies including Siemens AG and Bosch Thermotechnik. GmbH is a subsidiary of Bosch AG which manufactures heating equipment.
“You need to fundamentally change all of your internal processes that are involved in the product life cycle,” he said.
Products with digital components must display labels stating that they comply with the new regulations and stating how long cyber support will be provided. The offer excludes medical devices and cars, which are governed by other laws.
Lawmakers must negotiate the details of the proposal before approving it, a process that could take several months. After this, companies will have two years to comply.
The proposal states that businesses must disclose a so-called software bill of materials listing each product’s components, a move that could help manufacturers monitor their supply chains and track security vulnerabilities . An EU official involved in drafting the law said the bill of materials was inspired by President Biden’s 2021 executive order on cybersecurity, which requires the federal government to require companies providing software to disclose their components. it occurs.
The draft rules list 38 critical technology products required to receive a cyber security assessment from an independent body. The EU official told reporters that those products, which include software such as password managers and firewalls, and hardware such as microcontrollers, industrial Internet-of-Things devices and smart meters, were considered important because of the potential impact if hacked. Last week. Still, the official said, around 90% of companies would be able to self-certify.
Some manufacturers are concerned about third-party security reviews delaying product launches, said Paolo Falcioni, director general of Aplia, a Brussels-based association for home appliance manufacturers. “It’s essentially a time-to-market restriction,” he said.
The proposal leaves room for the European Commission to create a list of “highly important” products that would require a separate certification, created by EU cyber security experts.
The list of products deemed critical under the law is already very extensive, and some may not be used for critical functions at all, Mr Scherer said. “You could have a component that might be able to connect to the network but used in a completely non-critical context. It could be a Coca-Cola machine or part of a nuclear power plant,” he said .
Meanwhile, consumer advocates said the list should be longer. Claudio Teixeira, a legal official at the Brussels-based European Consumer Organization, said hackers could cause major harm if they intercept the signals of common products such as wearable devices, connected toys or household thermostats.
Last year, Belgian consumer organization Test-Achts tested 16 connected devices, including baby monitors, smart vacuum cleaners and smart TVs. Ten had serious security flaws, including weak default passwords and a lack of data encryption, which made them easy to hack. “We recognize the failure of the market here,” he said.
Catherine Stupp at [email protected]
Credit: www.Businesshala.com /