EU Proposes Strict Cybersecurity Rules for Digital-Product Makers

“It’s important when you buy a product that the product doesn’t have known vulnerabilities. That’s not the case today,” Thierry Breton, EU commissioner for the internal market, told reporters on Thursday. The legislation is a breakthrough, he said, because Europe is the first continent to propose required cybersecurity assessments for software.

The legislation will be “a massive undertaking” at significant cost to companies in the form of security assessments and new procedures, said Nils Scherrer, a manager in digitization at ZVEI, an association of German electrical and digital companies, including Siemens AG and Bosch Thermotechnik GmbH, a subsidiary of Bosch AG that makes heating equipment.

“You need to basically change all your internal processes that are involved in the product life cycle,” he said.

Products with digital components will need to display labels saying they comply with the new rules and stating how long cyber support will be provided. The proposal doesn’t cover medical devices and cars, which are regulated by other laws.

Lawmakers must negotiate details of the proposal before it can be approved, a process that could take several months. Companies will then have two years to comply.

Businesses also will have to disclose a so-called software bill of materials listing the components of each product, a move that could help manufacturers monitor their supply chains and track security vulnerabilities, the proposal says. An EU official involved in drafting the legislation said the bill of materials was inspired by President Biden’s 2021 executive order on cybersecurity, which requires companies that provide software to the federal government disclose their components.

The draft rules include a list of 38 critical technology products required to obtain cybersecurity assessments from an independent body. Those products, which include software such as password managers and firewalls, and hardware such as microcontrollers, industrial internet-of-things devices and smart meters, were deemed critical in part because of the potential impact if they were hacked, the EU official told reporters last week. Still, the official said, around 90% of companies will likely be able to self-certify.

Some manufacturers are concerned about third-party security reviews delaying product launches, said Paolo Falcioni, director general of Applia, a Brussels-based association for home appliance makers. “It is essentially a time-to-market restriction,” he said.

The proposal leaves room for the European Commission to create a list of “highly critical” products that would require a separate certification created by EU cybersecurity experts.

The list of products deemed critical under the legislation is already too broad, Mr. Scherrer said, and some might not be used for crucial functions at all. “You can have a component that might be able to connect to a network but is used in a completely uncritical context. It could be part of a Coca-Cola machine or nuclear power plant,” he said.

Consumer advocates, meanwhile, said the list should be longer. Hackers could cause major damage if they intercept signals for common products such as wearable devices, connected toys or home thermostats, said Claudio Teixeira, a legal officer at the Brussels-based European Consumer Organisation.

Last year, the Belgian consumer organization Test-Achats tested 16 connected devices including baby monitors, smart vacuum cleaners and smart televisions. Ten had serious security flaws, including weak default passwords and a lack of data encryption, that made them easily hacked. “We recognize a market failure here,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com