EU to have first IoT cybersecurity legislation

A draft Law on Cyber Resilience due to be presented soon, calling for more stringent basic cyber security requirements for connected equipment such as those for the Internet of Things, was previously reported by cybersecurity/news/leak-commission-to-introduce-cyber-requirements-for-internet-of-things-products/" target="_blank" rel="noreferrer noopener">EURACTIV, the European Union’s specialist policy media network.

The future law aims to address the vulnerabilities that are widely impacting the IoT sector which, due to its high level of interconnectivity possibility that the damage from the intrusion of a single device generates large damaging collateral effects for an entire organisation, supply chain or even on a global scale.

If it comes into force, this will be the first legislation in the world to introduce a legislative framework for all connected devices to ensure more cybersecurity throughout the lifecycle of connected products.

Under the terms of the proposal, manufacturers of IoT products will have to meet requirements during the design, development and production phases before equipment reaches the market and must continue to be continuously monitored so that vulnerabilities can be identified throughout the lifecycle through free automatic updates.

“Obligations would be established for economic operators, from manufacturers to distributors and importers, in relation to placing products with digital elements on the market, in a manner appropriate to their role and responsibilities in supply chains,” the bill says.

The list of requirements includes an “appropriate” level of cybersecurity, the prohibition of release of with known vulnerability, security configuration by default, protection against unauthorised access, limitation of attack surfaces and minimisation of incident impacts.

In addition, products must guarantee data confidentiality, including via encryption, and process only the data strictly necessary for their operations.  Manufacturers will also be required to identify vulnerabilities through regular testing, resolve them promptly and report incidents and exploited vulnerabilities.

Manufacturers will also have to carry out conformity assessments through internal procedures or examinations by certified bodies. Importers and distributors will be obliged to verify the conformity of products.

Fines for non-compliance, should the bill become law, could be up to €15 million or 2.5% of annual turnover (whichever is higher). The proposed rules would become applicable after 24 months of their entry into force, with the exception that the manufacturers’ reporting obligation would apply from 12 months.

The European Commission estimates that the Cyber Resilience Act, if passed, could bring the European economy savings of between €180 and €290 billion per year.

Background

The European Commission launched a public consultation in March 2022 to gather the views and experiences of all relevant parties on what the new European Cyber Resilience Law will look like.

The initiative had initially been announced by bloc president Ursula von der Leyen in a speech dated September 2021. The law will establish cybersecurity rules for digital products and services placed on the EU market.

“If everything is connected, everything can be hacked.  As resources are scarce, we have to pool our forces. […] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act,” Ursula von der Leyen said.

The Cyber Resilience Act is expected to complement the existing EU legislative framework, which includes a directive for security of network and information systems (NIS) and the Cybersecurity Act, as well as the future directive that includes measures to raise the common level of cybersecurity across the region (NIS 2 proposed in December 2020.

The public consultation remained open until 25 May 2022. In addition, the commission had published a call to present an overview of the problems currently identified and possible ways to address them. The call was also open in parallel to the public consultation.

The current EU legislative framework applicable to digital products includes several pieces of legislation, but only some aspects related to the cybersecurity of tangible digital products and embedded software.