The European Commission is working on legislation to remove Internet of Things (IoT) devices with weak security from sale. Manufacturers who do not get their act together on security risk a fine. The new rules will apply starting in 2024.
So writes The Financial Times (1). The British business newspaper managed to get its hands on a draft version of the legislation.
Smart devices and IoT applications such as smart speakers, security cameras, smoke detectors or thermostats are becoming increasingly popular. According to the Central Bureau of Statistics (CBS), three-quarters of Dutch households have at least one smart device in their homes. Currently, it is estimated that there are some 35 billion smart devices in circulation worldwide. Market researchers predict that this number will rise to over 75 billion devices by 2025.
Smart devices make our lives easier, but they also come with risks. For example, if you don't secure your smart cameras properly, others can secretly watch. And you also don't want hackers or cybercriminals taking over your devices remotely or using them against you.
To prevent such states of affairs, the European Commission is working on legislation imposing stricter requirements on smart devices. If it were up to the EU executive, such products would soon no longer be allowed to use a weak password as default. Furthermore, manufacturers must test their products for security breaches, shield personal and financial information, and allow consumers and organizations to manage this data.
According to The Financial Times, the European Commission wants to go a step further. For example, the Commission would like to ban the sale of smart devices and IoT applications if security is not in order. Furthermore, it wants to introduce a system of fines. The draft proposal states that fines could be up to 15 million euros, or 2.5 percent of global annual sales, whichever is higher.
Finally, the European Commission wants to create a security breach notification requirement and require manufacturers to release updates. How long this update obligation should apply is unknown. Earlier this month, the Commission introduced a draft bill to establish the right to fixes and updates. In it, the Commission talked about a five-year update period for smartphone manufacturers.
Former Minister of Economic Affairs and Climate Stef Blok late last year called cybersecurity a closing item for smart device manufacturers. "We see that insecure products are an ideal entry door for criminals to capture personal or banking data. Or to take over controls, allowing a device to be used for a hacking attack on other consumers or businesses. That is why it is essential that IoT is secure and can be used with confidence," the minister said.
In the Netherlands, the Netherlands Telecom Agency checks whether IT products and services meet minimum security requirements. In April of this year, the agency was named the National Cybersecurity Certification Authority (NCCA). "This new system makes it clear to everyone how secure and resilient products and services are. Consumers will soon be able to make a more conscious choice: do I choose a certified product, or not? Certified products are safer to use and more resilient against cybercrime," Angelina van Dijk, director-in-chief of the Netherlands Radiocommunications Agency, said of the appointment.
The General Intelligence and Security Service (AIVD) also plays a role in watching over the security of smart devices. Together with the Radiocommunications Agency, the service checks whether the accompanying documentation of smart devices is in order, how the development and design process took place, and scrutinizes the production method and testing procedures. Products that receive a certificate are safe to use and more resilient to cyber attacks and other digital threats.
"Through mutual exchange of knowledge and information, both organizations can better fulfill their tasks. In this way, they are jointly increasing the digital resilience of the Netherlands," the Radiocommunications Agency said.
https://www.ft.com/content/cfa2e2be-8871-4b56-b7bf-c5d2c55e8ed5
