New EU cyber security rules drafted tipped to regulate IoT device market

Tough new European Union cyber security compliance rules are set to be put in place for smart devices connected to the internet such as fridges and TVs, based on a European Commission document seen by Reuters this week.

Concerns about cyber security attacks have mounted in recent years following high-profile incidents of hackers damaging businesses and demanding huge ransoms.

According to Reuters, the EU executive will announce its proposal known as the Cyber Resilience Act on 13 September, which is likely to become law following input from EU countries.

The rules could cut the cost of cyber incidents to companies by as much as €290 billion (AU$430 billion) annually versus compliance costs of about €29 billion, the paper said.

============

Manufacturers will have to assess the cyber security risks of their products and take appropriate procedures to fix problems, the document said.

The companies will have to notify EU cyber security agency ENISA of incidents within 24 hours once they are aware of issues and take measures to tackle the problems.

Importers and distributors will be required to verify that products conform with EU rules.

If companies do not comply, national surveillance authorities can "prohibit or restrict that product being made available on its national market, to withdraw it from that market or recall it", the paper said.

Flouting the rules can cost companies fines as much as €15 million or up to 2.5 percent of their total global turnover, whichever is higher, with lower fines for less serious breaches.