A European Commission (EC) proposal to impose fresh cybersecurity regulations on connected devices sold in the economic bloc advanced, with the outline rules being granted a provisional green light by politicians.

In a statement, the European Council revealed it had reached an initial agreement with representatives from the European Parliament on the Cyber Resilience Act, which aims to improve the security credentials of devices in the region.

Should it be made law, the vast majority of devices connected directly or indirectly to other devices or networks will be covered, with the exceptions being those under the remit of other security regulations such as cars or products used in the medical sector.

The European Council cited an ambition to “fill the gaps” and “make the existing cybersecurity legislation more coherent”, adding the act aimed to ensure IoT products and other devices “are made secure throughout the supply chain and throughout their lifecycle”.

Among the proposals are rules for manufacturers on conducting risk assessments and declaring conformity, regulations for importers and distributors, and ways to allow consumers to assess the security level of products.   

In its statement on the progress of the proposal, the EC noted it is now subject to the formal approval process by the European Council and European Parliament. Once it comes into force, manufacturers, importers and distributors will have 36 months to comply.