EU announces first ever move to legislate cybersecurity for IoT
October 2022 by Mike Nelson, the VP of IoT Security at DigiCert
What the EU Cyber Resilience Act means for IoT security
The EU Cyber Resilience Act is the first EU-wide legislation to impose cybersecurity rules on manufacturers. It will cover both hardware and software and applies to both manufacturers and developers, making them responsible for the security of connected devices. The European Commission states that the regulation will tackle two issues: “the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities.”
What will the EU Cyber Resilience Act require?
The devil will be in the details as the requirements are developed and released. We anticipate that they will use non-prescriptive approaches similar to what we see in other regulations, like "encrypt sensitive data," "devices must have the ability to be updated," "ensure integrity of software and firmware," etc. However, to justify a penalty, they need to have some measurable approaches. There will likely be a requirement for regular updates, as that is one of the pain points that the European Commission raised. Sending automatic updates to a large scale of devices will be difficult without a solution that helps manufacturers maintain viability and automate tasks. Additionally, the EU Commission has stated that there will need to be more information available for consumers to make informed purchasing decisions and to set up their devices securely.
How will the EU Cyber Resilience Act affect IoT manufacturers?
IoT device manufacturers could face massive fines and penalties for non-compliance with the drafted EU Cyber Resilience Act. This is one of the first legislations to require a financial penalty for non-compliance. The EU is clear that with this proposed legislation the financial burden of devices will rest with manufacturers and developers.
Furthermore, products that do not meet ”essential” cybersecurity requirements will not be allowed to go to market. Thus, manufacturers need to start incorporating security in the design of their products now, so that devices going to market in the next few years will be up to the required security standards. Market surveillance authorities in each EU member state will be responsible to fine non-compliant companies, up to a limit set within the act, and prohibit non-compliant devices from going to market. However, having one set standard for cybersecurity across the EU will also make it more streamlined and clearer for manufacturers on how to maintain compliance.
How will the EU Cyber Resilience Act affect consumers?
The EU Cyber Resilience Act will give consumers a better purchasing power and trust in their devices by requiring manufacturers to provide information on device security before purchasing. The rules will require more knowledge on how to choose products that are secure and how to set up devices in a secure way. Similar to how consumers look at nutrition labels on food products to better understand what they are made of, providing security information on devices upfront will allow consumers to make more informed purchase decisions.
As manufacturers will be required to be more transparent on the cybersecurity in their devices, consumers will have increased trust in the connected devices that do go to market. Furthermore, the EU Commission anticipates it could even increase demand for “products with digital elements” if consumers trust the product security more.
IoT should be secure by design
Regulators shouldn’t have to come in with heavy fines and consequences to drive security — but sadly, all too often security is an afterthought in device development. In a perfect world, companies would realize the importance of protecting their assets, customers, reputation, and employees and do security the right way because it’s the right thing to do. Until we get there, we will have to continue tolerating regulators coming in with a stick. Additionally, the ability for national surveillance authorities to be able to prohibit or restrict the sale of non-conforming products will also be a stick that will drive better security.
When will the Cyber Resilience Act be enforced?
At this point, the EU Cyber Resilience Act is with the European Parliament and Council to examine and adopt. Once enacted, Member States will have up to two years to adopt the requirements. Thus, manufacturers should be prepared to comply with the act any time in the next few years.
However, the trend of increasing regulation on connected devices will continue. The EU Cyber Resilience Act is just the first step; we anticipate that this regulation will become a guideline for other regulators to develop similar standards. In the future, there will be more regulation on the IoT and its design, not less. Thus, it’s important for manufacturers to implement cybersecurity by design now, so they are prepared for the future of IoT regulation.
In addition to more IoT regulation, we are seeing industries come together to solve for device security. For instance, the Matter protocol about to launch for smart home device interoperability, security and reliability may serve as an industry-driven roadmap for better IoT device security. Though the full details of the proposed EU legislation are yet to come out, it is likely that manufacturers complying with Matter security, using device attestation certificates and product attestation intermediates, would meet the requirements of the EU lawmakers. Furthermore, they will have the opportunity to signal security to consumers, given that Matter-compliant devices will carry the Matter seal of approval.
Achieve cyber resilience with DigiCert
At DigiCert, we believe the EU Cyber Resilience Act can increase digital trust in our connected world. We have long championed the necessity of security by design and have the expertise and solutions needed to help manufacturers achieve it. For example, DigiCert for Connected Devices, with the award-winning solution of IoT Device Manager and Mocana, can help manufacturers manage the entire lifecycle of their device including sending secure updates.
IoT Device Manager provides a comprehensive, automated workflow for companies to manage their IoT devices with certificate-based security, during manufacturing and at the edge. It offers the scalability, flexibility, control and efficiency required for a network of connected devices. Administrators can monitor the entire certificate lifecycle, facilitate secure updates, customize metadata about the device within certificates and remain compliant. Rather than building and maintaining a self-managed PKI, IoT Device Manager automates PKI deployment, making it easy to manage a large network of devices. Admins can customize permissions and access control to segment administration for different user groups. Because IoT Device Manager is part of DigiCert ONE™, it has the flexibility to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs.