The Internet of Things (IoT) segment has grown, and with it have come many examples of vulnerable products, from babycams whose feeds could be viewed by strangers online to hackable implantable heart devices. There are also infamous examples of botnets (i.e. clusters of hacked devices) featuring millions of IoT devices with one common trait: weak security.
The United States has laws and standards in place designed to ensure data security. Although there is a general obligation to secure data in the General Data Protection Regulation (GDPR), recent developments in Europe show a greater focus on information security in general, not just personal data. .
In 2020 in the UK, the UK government announced that it would be working on legislation to require compliance with specific safety requirements or standards for consumer connected products. One of the touted requirements was, for example, a ban on setting universal default passwords. This requirement, in turn, would trigger the obligation to ensure that all passwords for a connected device are unique and strong to avoid giving hackers easy access to millions of products once a password default password has been decrypted. The result Telecommunications Product Safety and Infrastructure Billcurrently being considered by the House of Lords, will give the UK Secretary of State the power to impose specific security requirements for ‘internet-connectable’ and ‘network-connectable’ products or to require compliance with a given standard .
In the European Union, the European Commission published on September 15, 2022 a proposal for a “law on cyber-resilience”, an EU regulation “on horizontal cybersecurity requirements for products containing digital elements”. This regulation would require any manufacturer of a “product containing digital elements” (i.e. “any software or hardware product and its remote data processing solutions”) to meet the minimum cybersecurity requirements for to be able to place this product on the EU market.
The concept of “product with digital elements” does not seem to be limited to hardware + software pairs, several categories of products listed in the appendix to the Cyber Resilience bill being today pure “software” products, such as a wide range cybersecurity tools. Thus, the scope of the Cyber Resilience Act is not limited to IoT products alone.
The proposed Cyber Resilience Act indeed calls for security by design by requiring manufacturers to design, develop and produce products that meet cybersecurity requirements. In particular, manufacturers will be required to carry out an “assessment of the cybersecurity risks associated with [the] product and take the result of this assessment into account during the planning, design, development, production, delivery and maintenance phases […] with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of these incidents. This echoes the provisions of the draft directive “NIS 2” (a proposal for a directive “relating to measures for a high common level of cybersecurity in the Union”) as well as the principle of “data protection by design and default” in the GDPR.
Under the provisions of the Cyber Resilience Bill, manufacturers will have reporting obligations regarding actively exploited vulnerabilities on the one hand and security incidents on the other. They will be required to notify ENISA, the EU Cybersecurity Agency, of (i) “any actively exploited vulnerabilities” contained in the product and (separately) (ii) “any incidents having [an] impact on the safety” of the product, in each case “within 24 hours of becoming aware of it”. In addition, manufacturers must inform users of the incident “without undue delay and after becoming aware of it”. beyond the information relating to the incident, they will also have to inform the users, “if necessary, of the corrective measures that the user can implement” to attenuate the impact of the incident.
Furthermore, the Cyber Resilience Bill requires manufacturers to conduct conformity assessment procedures, draft technical documentation and ensure that the product bears relevant CE marking. The interrelation between this document and existing conformity assessment procedures for products should be carefully assessed.
The Cyber Resilience Bill does not place the regulatory burden solely on manufacturers. Importers and distributors involved in placing on the EU market are also subject to specific obligations, particularly in terms of documentation and CE marking. An importer or distributor will further be subject to the full obligations of a manufacturer if, for example, the product is marketed under the name or trade mark of the importer/distributor, or if the importer/distributor performs a substantial modification” of the product already placed on the market.
The security requirements themselves appear to be future-proof and technology-neutral, for example the requirement to ensure that products are “delivered with a secure default configuration, including the ability to reset the product to its original state” or that they are “designed, developed and produced to limit attack surfaces, including external interfaces”. In many ways, these requirements seem to reflect the common principles that underpin best practices in information security. Products belonging to a “critical” category (this includes a wide range of categories, such as identity management systems, password managers, malware detection software, microcontrollers, operation, routers, smart meters, etc.) are then subject to stricter rules, in particular a specific conformity assessment procedure.
The Cyber Resilience Bill also includes links to the draft AI Regulations (also under discussion in the Commission). If a product is classified as a “high-risk” AI system under the proposed AI regulations, compliance with the Cyber Resilience Act requirements will automatically be considered compliance with cybersecurity requirements. under the AI Regulation.
As with other examples of recent legislation (from the GDPR to the Digital Markets Act and the Digital Services Act), the Cyber Resilience Bill provides stiff penalties to ensure compliance, as failure to -compliance may result in the recall or withdrawal of the product from the market. or other corrective action and may also result in fines of up to €15 million or 2.5% of total worldwide turnover, whichever is greater. These fines do not pose the maximum risk to businesses in the event of non-compliance, as the Cyber Resilience Bill explicitly states that it is “without prejudice to [the GDPR]– which could lead to significant liability issues if a particular action or behavior violates both sets of rules.
Now is the time to ensure that your information security practices are up to date and that all levels of your organization are properly involved in designing, deploying and maintaining a robust cybersecurity strategy that takes into account all applicable laws. Of course, companies operating globally will also need to follow relevant national policy and guidance as they grow.
