EU to impose tough new rules on ‘internet of things’ product makers

Makers of “internet of things” products, such as smart kettles and fridges, and software developers will face heavy fines if they do not meet tough rules aimed at averting cyber attacks, according to draft EU legislation to be unveiled next week.

Companies will have to obtain mandatory certificates that show they are meeting the basic requirements of cyber safety that minimise the risk of attacks, according to a confidential document seen by the Financial Times.

Those that fail to comply will be fined up to €15mn or 2.5 per cent of the previous year’s global turnover, whichever is higher.

The new rules will also give the European Commission, the executive arm of the EU, powers to recall and ban products that are not compliant.

A study by EU regulators showed that only half of relevant companies apply adequate safeguards against cyber attacks. The size of the market for hardware makers is roughly 23,000 companies with a combined annual turnover of €285bn and around 370,000 software makers with a total yearly turnover of €265bn.

The research also found that two-thirds of cyber attacks come from previously detected breaches that makers had failed to fix — something the new rules will require for products to be granted access to the EU market.

“Hardware and software products are increasingly subject to successful cyber attacks, leading to an estimated global annual cost of cyber crime of €5.5tn by 2021,” the confidential paper marked as “sensitive” said.

Under the proposed rules, which are expected to become law by 2024, internet of things (IOT) makers need to inform authorities and consumers about attacks and must be able to put in place quick fixes, the proposals state.

Legislators said in the draft proposals that “smart” products suffered from “a low level of cyber security” and “an insufficient understanding and access to information by users, preventing them from choosing products with proper cyber security features”.

The proposed legislation comes a year after internal markets commissioner Thierry Breton said new rules were needed to counter cyber attacks on the growing market of IOTs.

He said in a blog post in September 2021 that the risk for cyber security attacks in Europe was growing “with the explosion of connected objects and the increased use of industrial data”.

“We must act on the regulatory front to raise the level of security within our single market,” he added.

If implemented, the measures would be the first EU regulations that would affect all sectors where there is a digital component to counter the threat of cyber attacks, people briefed on the matter said.