[Polizeiposaune]

"Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations."

Do stores have to patch known vulnerabilities before releasing the product to customers or can customers install the patch?

[jeroenhd]

I believe it's okay to let customers install the patch. The regulation itself can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML

Basically, the manufacturer has to issue a patch, and the distributor has to ensure that the patch is available before selling the vulnerable devices. Without secure software, the product is essentially CE-incompliant, which means it practically isn't allowed to be sold.

IANAL though.

[MrBuddyCasino]

This sounds like another bureaucratic nightmare. Who is going to track this?

[geoffpado]

Grocery stores everywhere have the ability to pull recalled products off their shelves pretty quickly. I did it fairly regularly at my first job as a shelf-stocker for a small local store in rural MO. Somehow we made it work, so clearly someone figured out how to deal with that "bureaucratic nightmare". I see no reason why hardware products that are on a list due to known issues would be any different.

[MrBuddyCasino]

Thats actually a good analogy, well said!

An immediate sales stop and recall is certainly appropriate when food endangers people's health, I'm not sure it is the right decision in this case. You could give manufacturers some time to fix it, and only then stopping the sales. This way they would still be incentivised to quickly make a fix, but avoid the potentially huge economic downside, which will lead to higher barriers of entry and probably further consolidation, hurting consumers in a different way. Remember that regulation always benefits the incumbents.

[mschuster91]

You know, vendors could just do the right thing and invest into security so that they don't ship vulnerable stuff from the start...

[MrBuddyCasino]

I'll pass the message on, if you kindly sign this contract to never have a car accident for the rest of your life. Just do the right thing and invest in your driving skills.

[mschuster91]

> Just do the right thing and invest in your driving skills.

Well your analogy just proves my point, LOL.

The EU mandates that you take driving school lessons and pass an appropriate examination. Some countries go even further and demand regular medical checkups (Italy does so for senior citizens, if you're 80+ it's once every two years). And if you manage to get in the spotlight for too many or too egregious violations, your license gets suspended to permanently revoked, in addition to some serious fines and the requirement to undergo further evaluation or even therapy (e.g. if you're facing substance addiction issues).

Use that analogy on software/firmware for appliances, and then you get:

- an initial independent certification requirement before introduction into the market - and no, CE doesn't count: all that "CE" signifies is that you as the manufacturer/importer believe your product is conforming to regulations. For many products (IIRC, everything but medical products and devices containing radio transmitters), that's it, you don't even have to go to a third party like the TÜV for a formal audit.

- obligations if you manage to stand out with security issues, including a temporary order to not sell any more units until they are reworked

- getting permanently booted off the market if your violations are too serious.

[aspenmayer]

Stores don’t have the capability to do this. These aren’t car dealerships we’re talking about here, more like Walmart or Best Buy. It would take a recall/RMA or online firmware updates, both of which already exist and are widely used.