Austria: Commission Addresses Security Issues Of IoT Products With Proposal For New Cyber Resilience Regulation

Watches, cars, intercoms, lamps, industrial machinery or printers. As the "Internet of Things" (IoT) continues its triumphant rise, more and more devices are able to directly connect to the internet and thus offer a variety of new features. But this also comes with a downside, as it provides a potential gateway for criminals who may exploit security vulnerabilities in these smart devices and abuse them to infiltrate people's systems. Statistically, a ransomware attack happens somewhere in the world every 11 seconds, causing estimated costs of around EUR 20bln worldwide in 2021 alone.

To address these problems, the European Commission presented its proposal for a Cyber Resilience Regulation (COM/2022/454 final) on 15 September 2022, introducing harmonised cybersecurity requirements for manufacturers and developers of products with digital elements, regarding both software and hardware.

The two main issues identified by the Commission in this context are that some products placed on the market lack cybersecurity standards already at the design stage and that some manufacturers are not willing to address security concerns regarding their products once they have put them into circulation.

The Commission now aims to solve these problems by setting out essential requirements that must be met before a product with digital elements is placed on the market. It also defines rules for the design, development and production of products with digital elements as well as obligations for vulnerability handling processes to ensure a high standard of cybersecurity throughout a product's entire lifecycle. Users must also be provided with a minimum of information and instructions for the respective good with digital elements according to Annex II.

In addition, manufacturers must demonstrate fulfilment of the requirements under the regulation by carrying out a conformity assessment either via self-assessment or by a qualified third party. Certain categories of products with particularly high risk, so-called "critical products with digital elements" (e.g. operating systems, firewalls, routers, modems or smart meters) are subject to even stricter requirements and must, for instance, have the conformity assessment carried out by a qualified third party. For most smart everyday devices, however, a self-assessment will usually suffice in order not to burden manufacturers with excessive costs.

Another novelty is a reporting obligation similar to the mandatory data breach notification in accordance with the GDPR. Manufacturers must report any actively exploited vulnerability or any incident having an impact on the security of their product to the European Union Agency for Cybersecurity without undue delay and no later than 24 hours after becoming aware of it.

Failure to comply with the essential cybersecurity requirements set out in the regulation can result in fines of up to EUR 15m or 2.5 % of annual global turnover, whichever is higher.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.