EU law set to target inferior IoT products

Companies that make so-called internet of things, or IoT, products－such as smart kitchen appliances, web-connected doorbell cameras, and remotely controlled heating systems－could find it harder to sell their wares in the European Union, if the bloc passes legislation set to be unveil next week.

The proposed law, which will be aimed at reducing the risk of cyberattacks, calls for companies that produce products that connect to the internet to ensure they have adequate security measures in place to stop criminals virtually penetrating people's homes.

The Financial Times newspaper said documents it had seen relating to the draft legislation call for heavy fines for manufacturers and software developers that fail to meet the bloc's proposed rules.

The paper said companies will need to get mandatory certificates that testify to their products' safety before they can sell them in the EU.The enterprises will need to prove their products do not have internet backdoors or faults that can be exploited by criminals.

The paper said the draft legislation calls for fines to be as high as 15 million euros ($14.9 million), or 2.5 percent of an enterprise's previous year's global turnover, whichever is greater.

The proposed law will also let the bloc recall products or ban items that do not have the new online safety certificates or that fail to maintain standards.

The EU is aiming to have the legislation in place by 2024.

The FT quoted the leaked draft document as saying: "Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cyber crime of 5.5 trillion euros by 2021."

Financial news specialists Bloomberg said the document noted that IoT products often have "a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them".

The document said two-thirds of the flaws that allow IoT products to be exploited by criminals are known to manufacturers but are not repaired.

The bloc's internal markets commissioner, Thierry Breton, has long called for the EU to take more steps to protect people from internet crime, which can include voyeurism, identity theft, fraud, sabotage, and blackmail.

He noted in a blog written last September that the risk of cyberattacks had grown "with the explosion of connected objects and the increased use of industrial data".

Bloomberg said the proposed legislation, which will apply to products as diverse as phones and baby monitors, will be called the Cyber Resilience Act.

The BBC said the EU's Agency for Cybersecurity will oversee the implementation of the proposed legislation and compile a database of companies and products that fail to comply with the new rules and that are therefore banned from being sold within the bloc.