How is EU cybersecurity law affecting IoT product design?

For manufacturers of Internet of Things (IoT) products or businesses looking to digitalise their operation, the first question when designing or procuring IoT systems is unlikely to be "could this product serve as an attack vector for malicious actors?" However, the EU's proposed Cyber Resilience Act (CRA) intends to make sure this question is on the agenda.

We are living through an explosion in the number of network-connected objects around us, with an estimated 25 billion IoT devices in use in 2021. However, a European Commission study has found that only half of all relevant companies apply adequate safeguards against cyberattacks, and that two-thirds of cyberattacks come from previously detected breaches that businesses failed to fix. A recent study reported a 30% increase in attacks targeting IoT systems during 2020, when the coronavirus pandemic struck.

What are connected IoT devices? 

These are products or sensors that have the ability to connect to a network, either directly or indirectly, such as via Wi-Fi, Bluetooth or 4G-5G, and can receive, store, process or transmit data; examples include drones, robots working on an assembly line, wearables gathering critical health data about a patient, or "smart" lightbulbs.

What is security by design?

This is the practice of developing or designing products and services with security in mind from the outset. 

Why are new requirements for IoT devices necessary?

Cybersecurity, as it applies to the development or design of the product, is an area of compliance not covered by the particular regulatory regime. Since 2020, a European Standard on Connected Device Security (EN303 645) has provided cybersecurity best-practice guidance in the form of outcome-focused principles. In the UK, since 2018 there has been a government-backed code of practice for consumer IoT security. However, these codes and standards have all been non-binding and voluntary in their implementation.

Existing regulation has only indirectly addressed the risks associated with cybersecurity of IoT devices. The General Data Protection Regulation (GDPR) requires data controllers to take appropriate measures to ensure the security of the processing of personal data. However, it does not address key members of IoT supply chains (such as manufacturers, importers or distributors of devices) nor does it apply to IoT risks beyond those associated with personal data, such as risks to the integrity of IT infrastructure. Other EU legislation has similar shortcomings, such as the Network and Information Systems Directive, which is limited to operators of essential services and key digital service providers. 

As proposed, the CRA is a regulation specifically for IoT devices in the EU to address regulatory gaps and strengthen the security of the whole IoT value chain. It places specific obligations within the regulatory framework for product compliance. IoT devices will be required to meet essential safety and product compliance requirements before they are able to be placed on the market in the EU. Conformity with the essential requirements will be demonstrated by displaying the CE mark. Failure to comply will lead to enforcement in individual Member States, which may include potential criminal liability. 

What are the requirements?

There will be an impetus for businesses to carefully consider cybersecurity when designing and manufacturing connected devices, throughout the whole lifecycle of a product. Manufacturers will be required to factor cybersecurity into the design, development and production of products with digital elements. They will also be required to exercise ongoing due diligence on security aspects. And they will need to comply with mandatory vulnerability handling requirements.

Regulating IoT products in this way places conformity with cybersecurity standards (at the time of design and manufacture, and on an ongoing basis) at the same level of legal priority and significance as physical design requirements. There is also scope for the CRA to apply to devices which are already on the market if they receive a software update which changes their intended use, or affects their compliance with the regulation's essential cybersecurity requirements. 

Alongside GDPR-style percentage of worldwide turnover fines which can be applied by regulators for non-compliance with the CRA, the EU's proposed revised Product Liability Directive will also make damages available for products that do not provide the level of safety expected by the public. Consumers may also be entitled to legal remedies where cybersecurity vulnerabilities lead to the loss or corruption of data or when a safety issue arises due to a lack of security updates after a product has been sold. 

These future EU laws are still progressing through the legislative process and are subject to potential amendments. However, it is certain that security by design will be firmly placed at the heart of the design of IoT products and remain an important element of compliance throughout the product's lifecycle. The CRA addresses manufacturers but also imposes obligations on importers and distributors of IoT devices. The EU's strategy on cybersecurity has the potential to be a game changer for product design, business models and distribution of IoT products across Europe.