The EU will today announce tougher cybersecurity regulations for smart Internet of Things (IoT) devices in its Cyber Resilience Act, including heavy fines for makers and software developers who do not adhere to the new rules. Documents relating to the act show that companies will have to obtain a mandatory certificate to show they are meeting basic cyber safety requirements.
While the full details of the act won’t be revealed till later today, cybersecurity experts told Tech Monitor that the legislation, alongside the UK’s Product Security and Telecommunications Infrastructure (PSTI) bill, is a step in the right direction and that manufacturers will need to take steps earlier in the supply chain to take the security onus away the end user.
The Cyber Resilience Act has been in the works since October 2021, and in March the European Commission opened a public consultation on the initiative, which closed at the end of May. In this period, 109 pieces of individual evidence were submitted for consideration. The regulation is expected to become law by 2024.
What is the EU Cyber Resilience Act?
According to documents seen by the Financial Times and Reuters, the new law will compel IoT device makers to inform authorities and consumers about attacks as well as requiring them to put quick fixes to problems in place. It will also mean the European Commission can hit companies that fail to comply with penalties up to €15m, or 2.5% of the previous year’s global turnover. It is also said that the new regulations will give the EU powers to recall and ban products that are not compliant.
As part of the confidential document seen by the FT, a study showed that only half of relevant companies (23,000 hardware makers and 370,000 software makers) applied adequate safeguards against cyberattacks. This research also found that two-thirds of cyberattacks had come from previously detected breaches that makers had failed to fix, putting a figure of “€5.5trn by 2021” against the global annual cost of cybercrime relating to such devices.
European countries will be able to add input to the proposal following today’s announcement, says Reuters. It is hoped the rules will cut the cost of cyber incidents to companies by up to €290bn a year.
How does the Cyber Resilience Act compare to the UK PSTI bill?
As part of May’s Queen’s Speech, the UK announced the Product Security and Telecommunications Infrastructure (PTSI) Bill, which is designed to protect IoT devices. The three key requirements manufacturers will have to adhere to under the act are no longer using default passwords, confirming how long security updates will be provided after the device is launched, and disclosing known vulnerabilities.
However, Rik Ferguson, VP security intelligence at Forescout, says that the UK bill is “really a framework” that empowers the government to specify security requirements through statutory instruments. He says that at a high level, the Cyber Resilience Act looks to have a broader remit, aiming at digital products and ancillary services.
“The UK legislation uses the more specific terms ‘internet-connectable product’ and ‘network-connectable product’, perhaps forgetting that the internet is indeed also a network,” he says.
The security futurist says that he wants to see the EU regulations covering the “entire lifecycle” of connected products, software and related cloud services. “Possibly even open source libraries and tools, such as Log4j [could be included],” he continues. “In a proposal of that scope, the UK legislation would be more comparable to a subsection.”
Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester, told Tech Monitor that the current “react and patch” approach to cybersecurity is unsustainable and that both the UK Bill and the EU Cyber Resilience Act will help move the burden of cyber defence from the user to earlier in the supply chain.
EU’s regulation comes with some challenges
Ross Brewer, vice president and general manager for the EMEA and APJ regions at security vendor AttackIQ, told Tech Monitor that he foresees some issues with the new EU regulation and that the EU is trying to deal with the “same old problem” faced in cybersecurity.
“Regulating products in the IoT domain, where they’re not necessarily designed and developed and launched with cybersecurity in mind, is good because anything we can do to get manufacturers and suppliers to recognise the importance of cybersecurity is a positive,” he explains. “The challenge comes about in that, when you look at any EU regulation, it’s going to take many months and years to develop, and the problem is that over time, regulations get watered down to the lowest common denominator, which means they become pretty easy to satisfy.”
He also warns that regulators will need to think about the cost associated with applying the act across the EU and to a wide variety of products and services. The high cost will then be “passed onto companies and then consumers, resulting in higher inflation,” he warns.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.