The European Union has proposed the Cyber Resilience Act, aimed at enhancing the cybersecurity of smart devices connected to the internet. Under the proposed law, companies will be required to assess these devices for cybersecurity risks and take appropriate measures to address identified issues within a span of five years or the expected product lifespan. Non-compliance could result in fines of up to 15 million euros or 2.5% of the company's global turnover.
The move comes in response to increasing ransomware incidents and cyberattacks that have exposed vulnerabilities in software, network equipment, and operating systems. The EU argues that compliance with these requirements could save companies up to 290 billion euros annually in cyber incident costs.
However, major industry players, including Ericsson, Siemens, Schneider Electric, Nokia, Robert Bosch, ESET, and industry group DigitalEurope, have expressed concerns. They fear that the proposed laws may disrupt supply chains, similar to pandemic-related disruptions. The rules would also apply to importers and distributors of connected devices. In a joint letter to EU officials, these companies warned of potential bottlenecks in European supply chains and suggested focusing on fixing known vulnerabilities before assessments and allowing more flexibility for self-assessment of cyber risks.
The EU is set to negotiate the terms of the proposed draft on November 8, which will determine its adoption into law. The concerns raised by industry giants highlight the ongoing debate over balancing cybersecurity requirements with potential economic impacts.
Top comments (0)