EU Act will protect consumers from cybercrime across digital devices
Manufacturers will be encouraged to factor ‘security by design’ into device development
“We not only have some very organised crime activities, but we have some very sophisticated state actors operating across multiple countries too.” Photograph: iStock
The new EU Cybersecurity Act aims to ensure Europe’s citizens are protected from cybercrime right across their digital devices.
It introduces, for the first time, EU-wide rules for the cybersecurity certification of products, processes and services. This will create a comprehensive set of rules, technical requirements, standards and procedures, agreed at European level, for the evaluation of the cybersecurity properties of a specific product, service or process.
The hope is that cybersecurity certification will increase trust in – and the security of – the products, services and processes that are crucial for the proper functioning of the digital single market. The intention is to provide people with graded level of assurance, from basic to substantial or high, to help with purchase decision-making.
The resulting certificates will be recognised in all member states, making it easier for consumers to understand the security features of the product or service. A key feature of the framework is that it also encourages manufacturers or providers to factor ‘security by design’ into the development stage of products, services or processes.
“ENISA is to set up and maintain this cybersecurity certification framework and inform the public on certification schemes and issue certificates. This is the first of its kind and establishes the governance and rules for EU-wide certification of ICT products, processes and services,” explains Niamh Hodnett, head of regulatory affairs at Three Ireland.
While the certification is to be voluntary for now, and will run alongside third-party certification – and self-certification by the manufacturer for low-risk products and processes – consumer demand should be enough to drive it.
If not, “the European Commission will assess whether mandatory certification may be required for certain products and services”, Hodnett says.
The Act also paves the way for greater cross-border cooperation in relation to cybersecurity. “The EU Cybersecurity Act gives ENISA, the EU agency for cybersecurity, a new mandate and increases its resources. ENISA can help member states handle cyber incidents and support EU coordination in the case of a large-scale attack,” she says.
The Act reflects an acceptance of the fact that, as cyber attacks cross borders, so the EU must provide coordinated action across multiple countries, says Dani Michaux, head of cybersecurity at KPMG.
“It’s about how can you enable multiple countries to respond in a coordinated, systematic and standardised way, particularly given that while one country might think something is an urgent issue, another may not.”
It will help ensure that within a country, different organisations and agencies react uniformly to threats, as well as at cross-national level, she points out. These days, that’s more important than ever.
“We not only have some very organised crime activities, but we have some very sophisticated state actors operating across multiple countries too,” says Michaux. Such actors may consider targeting anything from telecoms infrastructure to financial services operations, to supply chain or retail organisations, all of which will have a cross-border components.
If you are designing a smart home device, or a smart watch, you as a manufacturer would be accountable to make sure it has adequate security controls
The Act ensures ENISA plays a role in ensuring all EU countries are on the same page when it comes to recognising, identifying and responding to cyber threats. “It will provide standard tool kits and standardised ways of explaining things to everyone where there is a risk. This matters because some more mature countries are better off than others and not every country has the same amount of resources to invest in cybersecurity,” says Michaux. “A central body may provide guidance, perhaps expertise and possibly technical support to smaller countries.”
This level of coordinated response to cyber risk will come in tandem with the new certification of products. For Ireland, a country with a high number of multinational companies and vibrant R&D and ICT activity, certification will be of particular interest, she suggests.
“There is a big push now around accreditation and certification around a common European scheme, in particular ensuring products are secure by design, and have privacy by design. That means, if you are designing a smart home device, or a smart watch, you as a manufacturer would be accountable to make sure it has adequate security controls and is not collecting a huge amount of users’ private data.”
Putting the onus on manufacturers makes sense, she says. “We should not expect the consumer to have to understand the whole technological exposure of the product.”
Safeguard the young and the elderly
As such, the Act will, in particular, safeguard the young and the elderly, who are particularly vulnerable. “Middle-aged people have grown up with 2G, 3G, 4G and now 5G. But young people are so excited by the technology they just want to use it, or play it. They don’t have the concerns with privacy that middle-aged people have, they are just excited to be using it, while older people may be unsure about all the functionality of a product. Consumers should not be security administrators,” says Michaux.
The manufacturers should embed security and privacy features and not expect the consumer to have to do it
The Act doesn’t, however, take the onus off individuals to be sensible when it comes to reducing their own vulnerability to cyber risk, by informing themselves and making the kind of informed decisions that the new certification system will facilitate.
It should be a balanced approach, says Michaux. “The manufacturers should embed security and privacy features and not expect the consumer to have to do it. That is the push towards having a central agency for accountability. Currently, different certification schemes exist but not in a unified, centralised way. That is the big step change here.”
Having a common level of standards, and a coordinated response to attacks, means someone from opposite ends of the EU will all speak the same language when it comes to cybercrime. As we move further into the ‘digital trust’ economy, and the proliferation of smart devices that 5G will enable, that will become more critical.
But we as consumers still have to play our part too. “It’s disappointing that, 25 years after the world’s first chief information officer was appointed, in October 1994, that so many ransomeware attacks still start with the use of a default password,” Michaux says.