Manufacturers of all manner of connected devices could face penalties of up to €15 million if they fail to comply with new cybersecurity rules proposed by the European Commission (EC).

The Commission today (15 September) published a draft of the Cyber Resilience Act which aims to boost the security of connected devices and software sold throughout the European Union.

Notably, manufacturers will be forced to take responsibility for the security of products through their entire life cycle.

Thierry Breton, Commissioner for the Internal Market, highlighted many hardware and software products are not subject to any security requirements.

“When it comes to cybersecurity, Europe is only as strong as its weakest link, be it a vulnerable member state, or an unsafe product along the supply chain.”

Breton noted any unsecured device, ranging from computers and smartphones to toys and cars, “is a potential entry point for a cyberattack”.

Penalties for violations of the new rules will be harsh, with fines for the most serious breaches of up to €15 million or 2.5 per cent of global annual revenue, whichever is higher.

Companies could also be fined up to €10 million or 2 per cent of revenue for less serious violations, while those providing “incorrect, incomplete or misleading” information could face penalties of up to €5 million or 1 per cent of revenue.

The European Parliament and the Council will now examine the draft Cyber Resilience Act. Once adopted, companies and member states will have two years to adapt to the new requirements.