Long the weakest link in networks, smart devices and similar connected devices could soon be forced to bolster their defenses by the EU Cyber Resilience Act. The proposed law would impact all products with “digital elements” in the European Union, requiring manufacturers to both meet basic standards at the design level and to provide a means of updating and patching devices as vulnerabilities develop.
Manufacturers of connected devices would also be required to communicate key security features to consumers at the point of purchase, and to ensure that they understand how to enable and maintain all of these features after the device is set up. Proposed penalties are close to those of the General Data Protection Regulation (GDPR), with a maximum fine of 2.5% of global annual turnover.
Cyber Resilience Act addresses big holes created by smart devices
Connected devices are defined by the EU Cyber Resilience Act as anything “directly or indirectly” connected to other devices or networks, which casts a very broad net meant to address the whole of the smart device market. There are some product categories excepted from the proposed new rules, but only those that are already subject to their own unique sets of regulations: automobiles, aircraft and medical devices as a few examples.
The bill also proposes the sort of teeth that have forced companies operating in the EU to take GDPR compliance seriously. Companies that fail to meet the bill’s “essential” cybersecurity requirements are looking at maximum fines of the greater of €15M or 2.5% of global annual turnover, but lesser failures do not reduce the pressure much with maximum fines of €10 million or 2% of global turnover. Products could also be ordered to be withdrawn or recalled. Reporting of misleading or incomplete information to authorities could cost companies €5 million or 1% of global turnover.
Largely unregulated around the world to present, smart and connected devices have relatively rarely shipped with long-term security in mind. The market is riddled with devices that have no password protection, default passwords that cannot be changed, no means by which to update firmware or software when vulnerabilities develop, and other serious security holes that demonstrate a complete lack of interest in the subject at the fundamental design level.
This early form of the EU Cyber Resilience Act does not yet get into details about how design processes will be regulated, but does indicate that rules will be laid down that apply not just to development but to the entirety of the product life cycle. Manufacturers would also be required to report vulnerabilities that develop if they are actively exploited.
How tight would these new rules be? While they have yet to be developed, the early indication is that less critical products (estimated to be about 90% of the market) might be able to get away with a basic third-party assessment or even a self-assessment. Compliant products would be able to display the EU’s CE mark, already used for electrical safety and other applications. Some self-certification is already available for some of these applications.
Big tune-up for connected devices could bring benefits to other markets
The EU Agency for Cybersecurity (ENISA) cites the explosive growth of ransomware in recent years as one of the major drivers of the EU Cyber Resilience Act, noting statistics that find a corporation was hit with an attack every 11 seconds in 2021 and that global annual damages are now at €20 billion. This attack frequency is largely driven by automated bots, and known vulnerabilities in connected devices are one of the primary things that these malicious systems scan for.
If the EU Cyber Resilience Act makes it through the European Parliament and Council, the benefits might be seen in other parts of the world as manufacturers tailor their global product line to comport with the necessary EU standards. Though it is not the first legislation specifically addressing connected devices, the EU Cyber Resilience Act would be the strongest and most comprehensive if passed; prior legislation, such as a 2018 California law that requires smart devices to enable secure passwords, has tended to address specific vulnerabilities rather than a “security by design” approach that starts when schematics are drawn up.
Any changes would take some time to ripple out to store shelves, however. If the EU Cyber Resilience Act ends up being adopted, manufacturers would have two years to get their connected devices into compliance. The requirement to report actively exploited vulnerabilities could be implemented in just one year.
David Dumont and Sarah Pearce, Partners at Hunton Andrews Kurth LLP, feel that passage of the EU Cyber Resilience Act is far from a sure thing given the disproportionate strain the rules could put on smaller businesses and the impact it could have on tech innovation: “The EU legislator’s choice to impose cybersecurity requirements for all hardware and software products that are connected to another device or network on the EU market, through a regulation that will be directly applicable in all EU Member States, seems logical, as the effectiveness of the EU’s defense against cyberattacks may be impacted if one digital product in the chain has ineffective security features … Although there is a general consensus on the need for strong and consistent cybersecurity standards to reduce vulnerabilities in digital products, there is a risk that compliance costs related to the stringent conditions that must be met to introduce digital products on the market, which must be monitored throughout the digital products’ lifecycle may make it difficult for small and medium-sized companies to compete on the digital market. There is also a risk that it may hinder technological advancement. Legislators will need to establish a sensible balance of sufficient regulation to ensure security against threats whilst allowing and encouraging the development of new and evolving digital products.”