Last week, the European Commission published new draft legislation that attempts to crack down on security vulnerabilities in Internet-connected devices and services.
The Cyber Resilience Act will regulate the IoT (Internet of Things), which has been frequently criticised for having poor cyber security practices.
Despite these concerns, the popularity of IoT devices has soared in recent years, with consumers increasingly attracted by the convenience.
Countless products now offer Internet-enabled features, including televisions, fridges, doorbells and thermostats.
However, cyber security experts and regulators fear that without proper protections, these products could expose people to security risks. If a cyber criminal hacked a smart device, they could steal sensitive information about its owner or hijack it for nefarious purposes.
The Cyber Resilience Act will require manufacturers to implement more robust defences, while importers will be expected to verify those security controls.
Anyone who fails to meet their requirements could receive a fine of €15 million or 2.5% of their annual global turnover.
What are the Cyber Resilience Act’s requirements?
The Cyber Resilience Act addresses the currently unregulated market of IoT cyber security. It seeks to establish baseline security requirements for digital products and associated services that are available in the EU.
This includes several specific requirements for hardware manufacturers, software developers, distributors and importers. Those covered by the rules will be expected to implement an “appropriate” level of cyber security.
Among those is a rule prohibiting manufacturers from selling products with any known vulnerability. Manufacturers must also implement security by design and by default, adopt controls to mitigate the risk of unauthorised access and take reasonable steps to limit attack surfaces.
They will also be required to notify the EU cyber security agency ENISA of any security incidents within 24 hours of becoming aware of the breach.
Meanwhile, importers must implement safeguards that ensure that products or services being sold in the EU have appropriate security controls in place. If they fail to do so, national surveillance authorities would be permitted to restrict the product or service’s availability, withdraw it from the market or recall it.
Securing smart devices
If you’re concerned about the smart devices your organisation uses, IT Governance is here to help.
Our Cyber Health Check service provides essential support in identifying your organisation’s security weaknesses and finding a practical route to minimise risks.
We will assess your cyber risk exposure with our four-phase cyber health check, which includes vulnerability scans of your networks and the software you use.
Our experts will also perform an on-site governance and information security management audit, and conduct a staff survey to identify weaknesses in your processes and awareness training.