EU Cyber Resilience Act to Toughen Cybersecurity Rules for Smart Devices
In an effort to secure the growing number of IoT devices entering European homes, the EU has introduced the Cyber Resilience Act. These new regulations, released officially on September 13, 2022, seek to place a bulk of the responsibility for smart devices’ security on the manufacturers.
What is the EU Cyber Resilience Act?
First introduced in September 2021 by EU Commission President Ursula Von der Leyen, the EU Cyber Resilience Act is being put in place to establish rules and guidelines to govern the general security practices for commercially distributed IoT devices and their associated services.
The regulations set forth a number of rules that manufacturers must meet before they are approved for sale in the EU market. There are two primary categories for critical products, primarily defined by their compliance processes.
- The first includes browsers, password managers, antiviruses, firewalls, VPNs, physical network interfaces, routers, microprocessors, etc.
- The second category focuses on high-risk items like desktop and mobile smart devices, virtualised operating systems, digital certificate issuers, smart meters, IIoT devices, etc.
Many of the measures introduced in the act are rooted in the New Legislative Framework for EU product legislation set forth by the European Commission. Among the many elements laid out in the EU Resiliency Act, the regulations seek to set forth:
- Guidelines for the design, development, and production of smart products,
- Requirements for the vulnerability handling processes created by manufacturers to ensure consistent cybersecurity over the device’s lifespan (i.e. limiting attack surface, protecting from unauthorized access, etc.)
- Rules on market surveillance and enforcement.
- Standard processes for device makers to communicate “sufficient and accurate information” on any related to the product’s security.
- The prohibition to sell any products with a known vulnerability.
The act also sets forth clearly defined financial penalties for manufacturers who fail to meet requirements. Many of these financial penalties scale up to €15M or 2.5% of the manufacturer’s previous year’s worldwide annual revenue. For comparison, GDPR penalties are only up to €10m, or 2% of a company’s global revenue of the previous year. The EU Resilience Act will also allow EU powers to recall and/or ban products that are not compliant with these new guidelines.
“Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards,” says Margrethe Vestager, executive vice-president for A Europe Fit for the Digital Age. “It will put the responsibility where it belongs, with those that place the products on the market.”
The Latest in a Line of Cyber Regulations
This is only the latest attempt at legislating IoT security in the region, as the UK recently put forth the Product Security and Telecommunications Infrastructure (PTSI) bill to set similar guidelines for consumer-connected products sold and operated throughout the United Kingdom. Among the provisions laid out in the PTSI were many “common sense” security standards, such as not using default passwords, and disclosing known vulnerabilities.
Where the PTSI and EU Resilience Act differ, however, is in the scope of the language. For one, the UK bill impacts not only manufacturers of connected devices, but importers and distributors as well – and that’s not the only difference in scope between them. The Resilience act, broadly targets “digital products and ancillary services,” while the PTSI is specific to “internet- and network-connectable products.” The broader scope of the EU act does cover a broader scope of devices and services, and the focus on manufacturers’ responsibilities seeks to address a common criticism of cybersecurity as a reactionary measure.
“Regulating products in the IoT domain, where they’re not necessarily designed and developed and launched with cybersecurity in mind, is good because anything we can do to get manufacturers and suppliers to recognise the importance of cybersecurity is a positive,” Ross Brewer, vice president, and general manager AttackIQ, told Tech Monitor.
The Potential Impact of the EU Cyber Resilience Act
Reuters estimates that these new regulations could reduce the cost of cyber incidents to companies within the EU by as much as €290 billion per year, this is in contrast to the estimated compliance costs of €29 billion.
Yet Brewer believes the impact of these regulations may not reach their full potential due in part to the economic challenges of enforcement, the potential for inflation that could come from them, as well as the length of time it could take for these regulations to take effect.
“The challenge comes about in that, when you look at any EU regulation, it’s going to take many months and years to develop, and the problem is that over time, regulations get watered down to the lowest common denominator, which means they become pretty easy to satisfy,” he said.
Cybersecurity Doesn’t End with the Manufacturer
While these regulations could help set a user’s mind at ease when they are deploying their network of IoT devices, the responsibility for keeping one’s data secure also falls on the users themselves.
Users and developers can deploy many tools to help protect their data from incursions, whether that be private networking tools that secure connection to your provider of choice, to packet inspection services that monitor the data that passes to and from your network, to authentication measures that can verify every device in your fleet.
Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!