Manufacturers of digitally connected products who have been putting out products with comedy levels of security will have to met new EU requirements even if they are not made in the EU.

The act would ensure products carrying the CE marking meet a minimum level of cybersecurity checks. Sensitive products running afoul of the rulebook face fines of up to €15 million, or 2.5 percent of worldwide turnover, whichever is higher.

EU Internal Market Commissioner Thierry Breton showed the press an internet-connected camera and warning such a device could pose risks of hacking and even state-backed espionage.

An annex attached to the legislation lays out how there would be two categories for products: one for critical products, which will cover about 10 percent of the market; and a second category that will cover all other products. For low-risk products, the Commission will ask companies to perform a self-assessment, indicating that a product meets cybersecurity standards. For those that can present a significant cybersecurity risk, a manufacturer will have to prove they meet the requirements to a national authority or through a third-party assessment.

Under the new law, the Commission would also have the power to direct the EU Cybersecurity Agency ENISA to evaluate whether a product presents a “significant cybersecurity risk,” and recall a product if it does.

The new bill still needs to be reviewed by the European Parliament and the EU Council before it becomes law.