Whether cleaning robots, televisions, toys or wristwatches: more and more products are networked these days, i.e. they exchange information via the Internet. So far, however, there are no minimum requirements for most goods in the EU in terms of protection against hacker attacks. A draft regulation that the Commission on Thursday presented in Brussels, should put an end to this abuse. The Cyber Resilience Act requires manufacturers of networked products and software to think about online security right from the design stage. The companies have to prove that their offers comply with the new EU standards before the goods can be put on the market.
Companies should offer downloadable security updates for at least five years; they are responsible for fixing newly discovered vulnerabilities during this time. If the corporations find out about successful hacker attacks, they must inform them immediately. EU Internal Market Commissioner Thierry Breton said that when it comes to cyber security, “Europe is only as strong as its weakest link – for example a vulnerable member state or an unsafe product in the supply chain”. The legal act therefore contributes to “ensuring the safety of everyone”.
The CSU MEP Angelika Niebler called the legislative initiative “sensible”. She said “no one wants to see their TV or smart speakers hacked and used as a spy device in their living room or bedroom.” SPD MEP René Repasi described the move as “long overdue”: “It was irresponsible that there were no uniform specifications for manufacturers.”
Are there any delays in new products?
The EU Parliament and the Council of Ministers will now deal with the draft law. After adoption, companies have two years to adapt. The regulation distinguishes between normal and particularly critical products. The latter are said to represent an estimated ten percent of the goods, and stricter rules apply to them. Examples are factory controls, computer processors or operating systems.
The German Association of the Electrical and Digital Industry (ZVEI) complains that the draft views too many products as critical. Instead of keeping rigid lists, it is better to pay attention to the specific purpose of use of the goods, argues ZVEI Managing Director Wolfgang Weber. Because if the stricter rules make it more difficult to launch new products, “there will be major delays in the use of digital products and components,” warns the lobbyist. Overall, however, it is good that the EU is creating uniform regulations, “even if it poses enormous challenges for our companies”.