LEAK: Commission to introduce cyber requirements for Internet of Things products – EURACTIV.com

LEAK: Commission to introduce cyber requirements for Internet of Things products
By Luca Bertuzzi | EURACTIV.com

8 Sept 2022 (updated: 14 Sept 2022)

The European Commission estimates that thanks to the Cyber Resilience Act the European economy could save between €180 to 290 billion per year. [TippaPatt/Shutterstock]

Languages: Deutsch | Italian
The proposal for a Cyber Resilience Act that will be presented next week will mandate baseline cybersecurity standards for all connected devices and stricter conformity assessment procedures for critical products, according to a draft seen by EURACTIV.

The proposal is trying to address the widespread vulnerabilities in the booming Internet of Things (IoT) sector, where even the hacking of a single device, the so-called ‘weakest link’, could lead to major spill-over effects to the entire organisation or supply chain.

At the same time, users are not provided with sufficient information on the cybersecurity features of a connected device to make an informed choice when buying it.

To address these concerns, the Commission is presenting the first legislation in the world to introduce a legislative framework for all connected devices that would ensure the cybersecurity of these products throughout their entire lifecycle.


EU chief announces cybersecurity law for connected devices
European Commission President Ursula von der Leyen announced on Wednesday (15 September) a Cyber Resilience Act aimed at setting common cybersecurity standards for connected devices.

Scope
The regulation covers “product with digital elements,” defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.”

The products covered by sectorial legislation, such as medical devices, have been excluded.

Requirements
The manufacturers of IoT products would have to comply with essential requirements for the design, development and production before the device is launched on the market. They would continue to monitor and address vulnerabilities during its whole life cycle via automatic updates free of charge.

“Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain,” the draft reads.

The list of essential requirements encompasses an ‘appropriate’ level of cybersecurity, the prohibition to launch products with any known vulnerability, security by default configuration, protection from unauthorised access, limitation of attack surfaces, and minimisation of incident impact.

The products must ensure confidentiality of data, including using encryption, protecting its integrity and only processing data that is strictly necessary for its functioning.

The manufacturers will have to identify the vulnerabilities in the product via regular tests and address them without delays. Similarly to the recently revised directive on Network and Information Security (NIS2), the proposed act is set to require manufacturers to report exploited vulnerabilities and incidents.


NIS2 – All you need to know
The EU legislators have just reached an agreement on the revised Network and Information Security Directive (NIS2), flagship cybersecurity legislation. We caught up with the European Parliament’s rapporteur Bart Groothuis straight out of the trilogue to get all the details …

Risk categories

Beyond these essential requirements, the Commission listed several critical products that are considered to represent a greater risk. The critical products are divided into two ‘classes’, for which the main difference is the compliance process.

Class I includes identity management systems, browsers, password managers, antiviruses, firewalls, virtual private networks (VPNs), network management, systems, physical network interfaces, routers, and chips used for essential entities as intended under the NIS2.

Moreover, this category covers all operating systems, microprocessors and industrial IoT not covered in class II.

The higher risk category contains desktop and mobile devices, virtualised operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use, which is considered a ‘sensitive environment’.

The text empowers the Commission to adopt secondary legislation to update the list of critical products under classes I and II and to mandate the certification of highly critical products.

Conformity assessment
The manufacturers would also have to perform conformity assessments on their products via an internal procedure or an EU-type examination performed by notified bodies, a third-party established to assess compliance with this regulation.

In the case that the producer uses harmonised standards, receives an EU statement of conformity or a certificate under a European cybersecurity certification scheme, the product is presumed to be compliant with the regulation.

Importers and distributors will be required to check the manufacturer’s compliance with the relevant procedures and the CE marking of the device.

The manufacturers of critical products of class I and II will have to follow a specific procedure for compliance. For the devices under class II, there will have to be a third-party assessment.

Governance
The competent national authorities would have to follow a list of requirements to set up notified bodies that will provide the third-party assessment.

The member states would also have to put in place market surveillance bodies that might be the cybersecurity authorities established under the NIS2 directive.

The national authorities might carry out so-called ‘sweeps’, simultaneous coordinated control actions of particular devices to check their compliance. In case of persistent noncompliance, the national authorities might ban the product from the EU market.

Penalties
The penalties for non-complying with essential requirements can amount to €15 million or 2.5% of the annual turnover, whichever is higher.

Timeframe
The proposed regulation would become applicable 24 months after its entry into force, with the significant exception that the reporting obligation on manufacturers would apply from 12 months after the entry into force.