"The Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features", this being "a first of its kind of legislation across the EU [that] introduces mandatory cybersecurity requirements for products with digital elements, throughout their life cycle", the EU executive announces in a statement.

Following a cybersecurity strategy outlined by the EU executive a year ago, the new legislation aims to ensure that "digital products, such as wireless and wired products and software, are safer for consumers across the EU".

Specifically, "in addition to increasing manufacturers' responsibility by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cyber security of the products they buy and use," Brussels adds.

The proposed regulation applies to all products that are directly or indirectly connected to another device or network, although some exceptions are foreseen for products for which cybersecurity requirements are already laid down in existing EU rules, for example for medical devices, aviation or cars. Mobile applications and video games are also covered, according to the institution.

Provided for in the legislation is that, "to ensure effective enforcement of the obligations set out in this law, each market surveillance authority shall have the power to impose or request the imposition of administrative fines".

In case of non-compliance with the essential cybersecurity requirements, fines of up to €15 million or, if the offender is a company, up to 2.5% of its total annual worldwide turnover for the previous financial year are at stake. Failure to comply with any other obligations under this regulation is subject to administrative fines of up to 10 million or, if the offender is an enterprise, up to 2% of its annual turnover.

Providing incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in response to a request, on the other hand, is subject to fines of up to €5 million or, if the offender is an enterprise, up to 1% of its annual turnover, under the proposed regulation.

It will now be up to the European Parliament and the Council to deliberate on the proposed Cyber Resilience Law, with Brussels highlighting "the goodwill" of the co-legislators and hoping that this initiative will move forward quickly.

After entry into force, stakeholders will have 24 months to adapt to the new requirements, with the exception of a more limited grace period of 12 months in relation to the reporting obligation for manufacturers.

Data from the European Commission's Joint Research Centre for 2021 reveals that ransomware attacks hit one organisation every 11 seconds worldwide and have an estimated global annual cost of cybercrime reaching €5.5 trillion.

The annual costs of data breaches are also estimated to be at least €10 billion, while the annual costs of malicious attempts to disrupt internet traffic are estimated at €65 billion.