Home Doll market Commission plans to set global cybersecurity standards for connected devices – EURACTIV.com

Commission plans to set global cybersecurity standards for connected devices – EURACTIV.com


The European Commission says its new cybersecurity law will set the security bar for Internet of Things products worldwide and give European manufacturers a competitive edge.

The Cyber ​​Resilience Bill was introduced last week and introduced a security-by-design approach for all products with digital components. The idea is to force manufacturers to fix vulnerabilities to make it easier for consumers to adopt connected products. The Internet of Things industry is expected to boom in the coming years.

As expected by EURACTIV, the regulation includes a set of essential requirements that product manufacturers should comply with throughout the product lifecycle, including pushing security patches through free automatic updates.

“It will not only have an impact on the European Union. It will be a game-changer on a global scale, one way or another. Because they will copy us or because they won’t have the tools to respect our rules. It’s good not only for the level of cybersecurity but also for Europe’s competitiveness,” said Lorena Boix Alonso, director of the Commission’s cybersecurity department, at an event organized by EURACTIV earlier this year. week.

The ambition is to replicate the result of the General Data Protection Regulation via the Brussels effect. Namely, companies that have adopted EU rules to access the single market have found it more practical to apply them in their global operations than to create different products or processes.

“At first, everyone was a little hesitant. Then we saw that all the other markets, including the United States, started playing by the rules like the European market,” said Joanna Swiatkowska, director of operations at the European Cybersecurity Organization, during the same event.

Swiatkowska added that the Cyber ​​Resilience Act would likely increase the level of security globally and create a market where cyber security is a competitive advantage. An incentive that, until now, was missing from the picture.

The EU executive has estimated that two-thirds of cyberattacks come from exploiting vulnerabilities in connected devices. At the same time, the product manufacturer knows more than half of the vulnerabilities when it launches the product on the market.

“It would be difficult for a burglar to break into your home or for a criminal group to tap your phone. In the cyber domain, these events are all too frequent. It’s because we don’t always lock the door. When we do, sometimes the padlock doesn’t work,” Czech Ambassador Jaroslav Zajicek said.

Indeed, manufacturers are encouraged to launch a product on the market as soon as possible rather than investing in its security if they are not obliged. Therefore, the new regulation aims to update EU product safety legislation to cover this type of product with a risk-based approach.

“There are two ways to follow a risk-based approach. Either you give different security requirements or you rate the same requirements differently depending on the level of risk. In this case, it was not appropriate to say that some products should be better protected than others,” Boix added.

The proposal clarifies that, while all products will be subject to the same requirements, the conformity assessment procedure will be rigorous for certain categories of products, such as mobile phones, card readers and all connected devices for industrial use.

The Commission representative acknowledged that they expect an intense debate on which products will fall under these categories. As is always the case when there is a list, the efforts of lobbyists are focused on adding or deleting specific items.

“The proposal focuses on the industrial side of this challenge. On our side, there are products which, precisely because of the sensitivity of the intended use, should also be definitely recognized as critical products,” said Cláudio Teixeira, legal officer of the European consumer group BEUC.

Teixeira referred to the case of My Friend Cayla, a “smart doll” that allowed children to access the Internet through voice recognition software. The doll sparked a public backlash in Germany after it was revealed that hackers could easily access the doll to spy on or even talk to children. The German telecommunications authority therefore labeled the doll an “illegal spy device”.

For the consumer organization, all child-related products and systems intended to ensure the user’s safety in the physical world, such as smart homes and security alarms, must fall under the highest level of assurance. raised.

[Edited by Alice Taylor]