Harsh penalties for non-compliant smart tech

Across its 27 member countries and population of about 448 million, The European Union (EU) hosts nearly 20 billion connected devices.

These include smart home appliances, connected vehicles, industrial sensors and medical devices. By 2030, the number of connected digital products in use within the EU is projected to reach 30 billion. As a result, the market is expected to grow from €120 billion in 2024 to between €250 billion and €300 billion by 2030. But there’s a hitch.

Last year, the European Union introduced a new regulation that will affect all manufacturers supplying connected electronic products to EU countries: the EU Cyber Resilience Act (CRA). The CRA makes manufacturers responsible for the cybersecurity of their products, not just at the point of sale but throughout the entire product lifecycle. Once the CRA takes effect, selling smart connected devices without regular cyber resilience testing will be illegal in Europe. Violations could result in fines of up to €15 million ($16.75 million) or 2.5% of annual global turnover — whichever is higher.

No loophole

Cybersecurity expert Jan Wendenburg, CEO of European cybersecurity and compliance company ONEKEY, explained that the CRA regulation applies not only to product manufacturers, but also to distributors: that is, importers and retailers who sell connected devices within the EU. The CRA also covers all online platforms through which consumers or businesses can purchase electronic products in European countries, without exception.

“There is no loophole,” Wendenburg said. “As soon as a product of any type or origin has an internet connection, the strict requirements of the EU CRA legislation apply.”

Wendenburg pointed out another potential regulatory hurdle: when artificial intelligence (AI) is used in networked devices, either directly or via a cloud connection, the EU Artificial Intelligence Act (EU AI Act) must also be observed via the EU Cyber Resilience Act if international companies want to sell electronic products in the countries of the European Union.

Because of the need for continuous software updates, networked devices planned for distribution in the European Union need to be prepared right from the development phase. “EU legislation is based on security by design,” Wendenburg said. “With a development time of one and a half to three years, depending on the product category, it is therefore high time to focus on an EU-compliant product range.”

ONEKEY operates a Product Cybersecurity & Compliance Platform (PCCP) that enables international manufacturers, distributors and retailers to automatically check their networked devices, machines and systems for compliance with the European Union's Cyber Resilience Act. This includes all operational technology (OT) and Internet of Things (IoT) product classes.

“At ONEKEY, we are fully prepared to test internet-connected electronic products for compliance with EU cybersecurity regulations before they enter the European Union market,” Wendenburg said. “Products that fail to meet the CRA requirements will not be eligible for the CE mark, which is mandatory for sale within the EU.”

The European Union has a strong track record of imposing substantial fines on international companies that violate EU regulations and laws. Examples include Apple (€13 billion, 2016); Google (€4.34 billion, 2018); Amazon (€746 million, 2021); Samsung (€145 million, 2013); Sony, Panasonic and Sanyo (€166 million, 2016); and ChemChina (€68 million, 2017).

“The EU is not afraid to go after the big players, so it is even less afraid of fining smaller and medium-sized companies for non-compliance with EU rules,” Wendenburg warned.

Image credit: iStock.com/RossHelen