Implications of the new EU IoT Cyber Resilience Act

0
274

The EU Cyber Resilience Act is the first EU-wide legislation to impose cyber security rules on manufacturers. It will cover both hardware and software and applies to both manufacturers and developers, making them responsible for the security of connected devices. Mike Nelson, the VP of IoT Security at Digicert explains his views on this new regulation and what it might entail for manufacturers of IoT based products.

The European Commission states that the regulation will tackle two issues: “the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities.”

At this point, the EU Cyber Resilience Act is with the European Parliament and Council to examine and adopt. Once enacted, Member States will have up to two years to adopt the requirements. Thus, Nelson suggests that manufacturers should be prepared to comply with the act any time in the next few years.

IoT device manufacturers could face massive fines and penalties for non-compliance with the drafted EU Cyber Resilience Act. This is one of the first legislations to require a financial penalty for non-compliance. The EU is clear that with this proposed legislation the financial burden of devices will rest with manufacturers and developers.

The devil will be in the details as the requirements are developed and released. “We anticipate that they will use non-prescriptive approaches similar to what we see in other regulations, like “encrypt sensitive data,” “devices must have the ability to be updated,” “ensure integrity of software and firmware,” etc. However, to justify a penalty, they need to have some measurable approaches. There will likely be a requirement for regular updates, as that is one of the pain points that the European Commission raised. Sending automatic updates to a large scale of devices will be difficult without a solution that helps manufacturers maintain viability and automate tasks. Additionally, the EU Commission has stated that there will need to be more information available for consumers to make informed purchasing decisions and to set up their devices securely” explains Mike Nelson.

It seems quite certain that products that do not meet ”essential” cyber security requirements will not be allowed to go to market. This means that manufacturers that have not already done so, need to start incorporating security in the design of their products now, so that devices going to market in the next few years will be up to the required security standards. Market surveillance authorities in each EU member state will be responsible to fine non-compliant companies, up to a limit set within the act, and prohibit non-compliant devices from going to market. However, having one set standard for cyber security across the EU will also make it more streamlined and clearer for manufacturers on how to maintain compliance.

As manufacturers will be required to be more transparent on the cybersecurity in their devices, consumers will have increased trust in the connected devices that do go to market. Furthermore, the EU Commission anticipates it could even increase demand for “products with digital elements” if consumers trust the product security more.
IoT should be “secure by design”

“Regulators shouldn’t have to come in with heavy fines and consequences to drive security — but sadly, all too often security is an afterthought in device development”, says Nelson. “In a perfect world, companies would realise the importance of protecting their assets, customers, reputation, and employees and do security the right way because it’s the right thing to do. Until we get there, we will have to continue tolerating regulators coming in with a stick. Additionally, the ability for national surveillance authorities to be able to prohibit or restrict the sale of non-conforming products will also be a stick that will drive better security.”

“At DigiCert, we believe the EU Cyber Resilience Act can increase digital trust in our connected world. We have long championed the necessity of security by design and have the expertise and solutions needed to help manufacturers achieve it,” concludes Mike Nelson