The implementation of regulatory measures is a critically warranted action because of the rapid pace of Internet of Things (IoT) adoption and the widespread recurrence of cybersecurity attacks attempting to take advantage of security gaps and flaws in numerous IoT devices.
Regulation of IoT is relatively new and still in the process of establishing itself; this is mostly because threats continue to evolve as well as IoT technology itself. The regulation of IoT first began in 2019 and many manufacturers still have many questions and concerns today, particularly in the areas of which regulations apply and whether compliance will provide enough security to guarantee the safety of both the manufacturers and end users.
The challenges also lie in the complex and often lengthy timelines of IoT development and deployment, which involves other processes such as designing, purchasing, procurement, and operation. This raises the question of which regulation a device needs to comply with and by what stage in its lifecycle. Let’s take a look at some of the actions the government is taking and the decisions impacting regulation on IoT device security.
Cyber Resilience Act (CRA)
In 2020, the Council acknowledged the increasing cybersecurity risks for connected devices. The Council stated that 'cybersecurity and privacy should be acknowledged as essential requirements in product innovation, the production and development processes − including the design phase (security by design) − and should be ensured throughout a product's life
cycle and across its supply chain'. But it wouldn’t be until May 23rd, 2022 that the Council called upon the Commission to propose common cybersecurity requirements for IoT devices and associated services. The law will not go into effect until 2024.
As the first ever EU-wide legislation dedicated to the cybersecurity of IoT products, the Cyber Resilience Act aims to address gaps in the existing cybersecurity regulations.
The proposed CRA addresses both hardware and software with the aim that fewer digital products with vulnerabilities hit the market. The main provisions of the proposed CRA will bring changes in responsibilities for those with roles in the supply chain, including manufacturers, importers, and distributors.
For manufacturers, cybersecurity should be considered by default from the design and development phases to prevent exploitable vulnerabilities. Manufacturers are also required to provide users with information on the digital product’s conformity assessment procedures and its technical documentation. The manufacturer’s cybersecurity obligations will be split between two main areas – the digital product’s security requirements and its vulnerability handling requirements. This means that manufacturers are responsible for designing, developing, and producing digital products without known exploitable vulnerabilities; they must also protect the confidentiality of the data that the digital product stores, transmits, and processes.
Once the product has been placed on the market, the manufacturer is obligated to deploy regular tests and reviews of the product’s securities, along with keeping a record of all issues that are identified and fixing them by providing free security updates and patches. All identified issues and exploited vulnerabilities must be reported to the European Union Agency for Cybersecurity (ENISA) within 24 hours of identifying issues or security incidents.
IoT devices that do not comply with the requirements of the regulations will be banned from European markets. The CRA also defines conformity assessment and compliance procedures, along with the fines involved in non-compliance with the obligations set out in the CRA.
As the first ever EU-wide legislation covering the cybersecurity of IoT products, the Cyber Resilience Act aims to address gaps in the existing cybersecurity regulations. The proposed CRA addresses both hardware and software with the aim that fewer digital products with vulnerabilities hit the market.