A cybersecurity law for connected devices

If everything is connected, everything can be hacked, said European Commission President Ursula von der Leyen in announcing the Cyber Resilience Act, which aims to establish common cybersecurity standards for connected devices.

Speaking at the European Parliament, von der Leyen noted that the rapid spread of digital technologies “has been a major equalizer in the way the technology can be used today by rogue states or non-state groups” to disrupt critical infrastructures such as public administrations and hospitals.

“As resources are scarce, we have to pool our strengths. And we must not only be content to deal with the cyber threat, but we must also strive to become leaders in cyber security,” added von der Leyen in his speech on the “State of the European Union” to the European Parliament in Strasbourg.

The Cyber Resilience Act complements an existing proposal for a directive on the security of networks and information systems, commonly known as the NIS2 directive, which addresses the cybersecurity of digital services employed in critical sectors of the economy and society.

While NIS2 addresses the security of critical supply chains, there is consensus that connected devices are still a blind spot in the EU’s cybersecurity arsenal.

“The internet of things will bring many unsafe products because security is often not in the minds of the manufacturers of these machines. And there is still no European standard to be maintained. It’s nice to have a shredded pork machine in your kitchen or a smart coffee machine, but it’s also a way for hackers to get into your home IT systems,” explained Bart Groothuis, the legislator responsible for the NIS2 file at the European Parliament, to EURACTIV.

Why is it essential for Europe to invest substantially and urgently in all types of security?

“Recent events remind us to what extent Europe, and more generally the world, remains vulnerable to large-scale cyberattacks,” recalled Thierry Breton, European Commissioner for the Internal Market of the European Commission, referring to attacks on the system of Irish health in the midst of a health crisis; the ransomware identified by Kaseya; the Colonia Oil Pipeline Hack, in the USA; cyberattacks against the municipality of Anhalt-Bitterfeld, Germany; and those who targeted Thessaloniki, Greece.

The Cyber Resilience Act strengthens the EU Cybersecurity Agency (ENISA) and establishes a Cybersecurity certification framework for products and services. The agency will play a key role in creating and maintaining the European cybersecurity certification framework, preparing the technical ground for specific certification schemes.

“We have long advocated this to ensure consumer safety across the EU,” Els Bruggeman, head of policy and oversight at Euroconsumers, told EURACTIV. “If the Commission is to become a leader in cyber security, it must work on a common EU approach to cyber threats that allows consumers to trust the Internet of Things,” added Bruggeman.

Looking to the future in her speech, Secretary Ursula von der Leyen referred to digital as a decisive issue, success or failure. This is why the European Cyber Resilience Act and the European Chips Act have become two important initiatives for the EU’s digital agenda. In addition to them, the commissioner announced new investments in digital infrastructure. According to von der Leyen, digital spending on the NextGenerationEU recovery plan is expected to exceed the 20% target. The €800 billion NextGenerationEU temporary stimulus package contributes to the EU4Health program and the Horizon Europe research and innovation program.

The EU will focus on digital transformation, including investment in 5G, fiber, and digital skills, said von der Leyen. She also advocated passing the European Chips Act, which aims to create a “state-of-the-art European chip ecosystem” to ensure the security of supply and develop new markets for European technology.