The European Commission has finished the draft for the upcoming cyber resilience act. This regulatory initiative aims to protect the European infrastructure and economy from the increasing threat by cyberattacks. The Internet of Things is playing an important role on the current cyber-attack surface. With the new act commission will regulate actions to increase cybersecurity and commit industry to implement cybersecurity processes for connected devices. Leaked draft of the act is showing the commission’s will to force industry to protect their digital products on the entire lifecycle
On State of the Union speech 2021 the Commission’s President Ursula von der Leyen announced to increase efforts for Europe’s Cybersecurity. She named the Internet of Things as one element, which is increasing the attack surface and by that needed to be regulated towards cybersecurity actions.
„If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. […] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act.“
Now, one year later, the commission progressing on drafting the new act and recent publishings are showing the planned impact towards connected devices and internet of things. To reduce the cyberattack surface the commission is planning to implement obligation for IoT device vendors on operators:
- Prohibition to launch products with any known vulnerability
- Security by default configuration, protection from unauthorized access
- Products must ensure confidentiality of data, including using encryption,
- Only processing data that is strictly necessary for its functioning.
- Manufacturers will have to identify the vulnerabilities in the product via regular tests and address them without delays.
In fact, manufactures, vendors and service operators will need to take on cybersecurity of IoT devices during their lifetime. This includes a secure software and hardware design process and the implementation of cybersecurity processe to protect devices from being vulnerable – for example providing patches and updates,
To force industry on following the new rules the act has foreseen penalties for non-complying to €15 million or 2.5% of the annual turnover.
How the European Regulation will Progress
The European Commission has involved European stakeholders to provide feedback on the planned new act
Next step the draft has been published and usually the act will be then negotiated with the member states to get an approval by the European Council. After the approval the Act will be signed and enforced by the President of the European Commission. After the approval the industry will might get a timeframe of 12-24 months to adept to the new regulation.
The Impact by the Cyber Resilience Act
To understand the impact of the new Cyber Resilience Act, it is important to understand the “Big Picture” of the commission towards Cybersecurity and the protection of the European Digital Single Market. This Act is just a building block of multiple regulatory initiatives of the Commission to protect European society from negative impacts of progressing digital technology, connected economy and geopolitical struggles. The attack surface by “connected” devices and services has been in focus of previous commissions, e.g., by the Cybersecurity Act, but failed in consequences to enforce broad industry to implement meaningful security actions. In result only a narrow range of products and services in “critical infrastructure” has been forced to implement cybersecurity processes and tools. But in the reality of a full connected digital society there is no clear separation between “critical” and non “critical” use cases as for example a botnet of captured connected household devices can be used to tear down critical connected assets as power stations in an energy grid. With Thierry Breton (https://ec.europa.eu/commission/commissioners/2019-2024/breton_en )
the Commission has a profound deep expert on digital technology at the top of the Commission’s internal market affairs. Before becoming commissioner, Breton has been the CEO of ATOS, which is a 112.000 people enterprise focusing on IT services, digital transformation, and cybersecurity. Breton is very aware of the vulnerabilities of digital single market. The new Act has been drafted under his directory and show his specific handwriting.
What asvin will be Contributing to Industry
asvin will support industry to adopt on the obligations and requirements on the upcoming Cyber Resilience Act. Our products and services are a perfect fit for manufacturers, vendors and operators of connected devices to implement cybersecurity in the entire product lifecycle and to approve the regulatory conformity:
- Track and trace the software integrity and provenance in the complex supply chain of IoT products
- Providing Software Bill of Materials for automated vulnerability scans and source code improvements
- Providing tools and services to apply updates and patches on IoT devices
- Monitoring of device integrity and attack detection during the operation
This services by asvin can be uses “Out of the box” and will protect industry from penalties due failing the Cyber Resilience Act requirements. (Source: https://asvin.io/solution/platform/)
About the Author
Mirko Ross, born 1972, is an internationally recognized activist, expert, speaker, publicist and researcher in the field of Cyber Security and the Internet of Things. At the age of 14, he began investigating vulnerabilities in IT systems. Instead of a career as a hacker, he decided to turn to the bright sight of cybersecurity. Mirko has been member of the Expert Group on Internet Security of Things of the European Cyber Security Agency ENISA and advises the EU Commission as an expert. He is also active in international committees and research projects in the field of cyber security and blockchain technologies. Mirko is still closely associated with the positive hacker attitude and maker movement and promotes non-profit projects in the field of Open Data and IT education. In 2018 he founded asvin.io, with the aim of increasing cyber security in the Internet of Things and providing software solutions for this purpose, leading asvin to the best Cybersecurity Start-up in Germany by 2020 rated by it-sa. Mirko lives in the countryside and works in Stuttgart.