Featured Commission expects to set the world’s cybersecurity standards for connected devices – EURACTIV.com

Published on September 23rd, 2022 📆 | 7789 Views ⚑


Commission expects to set the world’s cybersecurity standards for connected devices – EURACTIV.com


The European Commission contends that its new cybersecurity law will set the security bar for Internet of Things products worldwide and put European manufacturers at a competitive advantage.

The proposal for a Cyber Resilience Act was presented last week and introduced a security-by-design approach for all products with digital components. The idea is to oblige manufacturers to address vulnerabilities to facilitate consumer uptake of connected products. The Internet of Things sector is expected to boom in the coming years.

As anticipated by EURACTIV, the regulation includes a set of essential requirements product manufacturers would have to comply with throughout the product lifecycle, including by pushing security patches via automatic updates free of charge.

“This will impact not only the European Union. This will change the rules of the game globally, one way or another. Because they will copy us or because they will not have the tools to abide by our rules. This is good not only for the level of cybersecurity but for the competitiveness of Europe,” said Lorena Boix Alonso, the director of the Commission’s department in charge of cybersecurity, at a EURACTIV-hosted event earlier this week.

The ambition is to replicate the General Data Protection Regulation’s result via the Brussels effect. Namely, companies that adopted the EU rules to access the single market found it more convenient to apply them in their global operations than to create different products or processes.

“At the beginning, everyone was a little bit hesitant. Then, we saw that all other markets, including the American one, started to play by the rules as the European one,” said Joanna Swiatkowska, chief operating officer at the European Cyber Security Organisation, at the same event.

Swiatkowska added that the Cyber Resilience Act would likely boost the security level globally and create a market whereby cybersecurity is a competitive advantage. An incentive that, so far, has been missing from the picture.

The EU executive estimated that two-thirds of cyberattacks come from exploiting vulnerabilities in connected devices. At the same time, the product manufacturer knows more than half of the vulnerabilities when they launch the product on the market.

“It would be difficult for a burglar to get into your house or for a criminal group to tap your phone. In the cyber domain, these events are too common. It’s because we don’t always lock the door. When we do, sometimes the padlock does not work,” said Czech ambassador Jaroslav Zajicek.

That is because manufacturers are incentivised to launch a product on the market as early as possible rather than invest in its security if not obliged. Therefore, the new regulation is meant to bring the EU’s product safety legislation up to speed to cover this type of product with a risk-based approach.

“There are two ways to follow a risk-based approach. You either give different security requirements or assess the same requirements differently according to the level of risk. In this case, it was not appropriate to say that some products should be better protected than others,” Boix added.

The proposal specifies that, while all products will be bound to the same requirements, the conformity assessment procedure will be rigorous for certain product categories, such as mobile phones, card readers and all connected devices related to industrial use.

The Commission representative acknowledged that they expect intense debate about which products will fall under these classes. As is always the case when there is a list, lobbyists’ efforts focus on adding or deleting specific items.

“The proposal focuses on the industrial side of this challenge. From our side, there are some products that precisely because of the sensitivity of the intended use should also definitely be recognised as critical products,” said Cláudio Teixeira, a legal officer at the European consumer group BEUC.

Teixeira made the case of My Friend Cayla, a ‘smart doll’ that allowed children to access the internet via speech recognition software. The doll spurred a public backlash in Germany after it was revealed that hackers could easily access the doll to spy on or even speak to children. The German telecom authority consequently ruled the doll an ‘illegal espionage apparatus’..

For the consumer organisation, all products related to children and systems intended to keep the user safe in the physical world, such as smart homes and security alarms, should fall under the highest level of assurance.

[Edited by Alice Taylor]

Source link

Tagged with:

Leave a Reply

Your email address will not be published.