For a long time, the weakest link in networks, smart devices and similar connected devices can soon be forced to strengthen their defenses by EU Electronic Flexibility Act. The proposed law would affect all products with “digital elements” in the European Union, requiring manufacturers to meet basic standards at the design level and providing a way to update and patch devices as security vulnerabilities evolve.
Manufacturers of connected devices will also be required to communicate key security features to consumers at the point of purchase, ensuring that they understand how to enable and maintain all of these features after setting up the device. The proposed penalties are close to the General Data Protection Regulation (GDPR), with a maximum of 2.5% of global annual turnover.
The Electronic Resilience Act addresses the major gaps created by smart devices
The European Union’s Electronic Resilience Act defines connected devices as anything that is “directly or indirectly” connected to other devices or networks, casting a very wide net meant to tackle the entire smart device market. There are some categories of products that are exempt from the proposed new rules, but only those that are already subject to their own unique sets of regulations: automobiles, aircraft, and medical devices to name a few.
The bill also suggests the kind of teeth that have forced companies operating in the European Union to take GDPR compliance seriously. Companies that fail to meet the bill’s “basic” cybersecurity requirements are looking at maximum fines of more than €15 million or 2.5% of global annual turnover, but fewer failures do not reduce the pressure much with maximum fines of €10 million. or 2% of global trading volume. Products can also be withdrawn or returned. Reporting misleading or incomplete information to the authorities could cost companies €5 million, or 1% of global turnover.
Smart and connected devices that are largely unregulated around the world are rarely shipped with long-term security in mind. The market is full of devices with no password protection, default passwords that cannot be changed, no way to update firmware or software when vulnerabilities appear, and other serious security holes that show complete disinterest in the underlying topic. design level.
This early form of EU e-flexibility law does not go into details of how design processes are regulated, but does indicate that rules that apply not only to development but to the entire product lifecycle will be established. Manufacturers will also be required to report security vulnerabilities that develop if they are actively exploited.
How strict are these new rules? While not yet developed, an early indication is that less significant products (estimated at about 90% of the market) may be able to ditch a basic third-party evaluation or even a subjective evaluation. Compliant products will be able to display the CE marking of the European Union, already used for electrical safety and other applications. Some self-certifications are already available for some of these applications.
Large tuning of connected devices can bring benefits to other markets
The European Union’s Cyber Security Agency (ENISA) cites the explosive growth of ransomware in recent years as one of the main drivers of the EU’s cyber resilience law, citing statistics that found a company was attacked every 11 seconds in 2021 and that global annual. Damages now amount to 20 billion euros. This attack frequency is largely due to automated bots, and known vulnerabilities in connected devices are one of the primary things these malicious systems look for.
If the EU’s Electronic Flexibility Act passes through the European Parliament and Council, the benefits could emerge in other parts of the world as manufacturers design their global product line to comply with necessary EU standards. Although it is not the first legislation to specifically address connected devices, the EU Electronic Flexibility Act would be the strongest and most comprehensive if passed; Previous legislation, such as the California law of 2018 requiring smart devices Enable secure passwordstends to address specific vulnerabilities rather than the “security by design” approach that begins when the blueprints are made.
However, any changes will take some time to spread to the storage shelves. If it ends up adopting the EU’s Electronic Flexibility Act, manufacturers will have two years to make their connected devices compatible. The requirement to actively report exploits can only be implemented in one year.
David Dumont and Sarah Pearce, Partners at Hinton Andrews Kurth LLP, feels that passage of the EU Cyber Flexibility Act is not a certainty given the disproportionate stress the rules can place on small businesses and the impact they can have on technological innovation: “The EU legislator has chosen to impose cybersecurity requirements on all connected hardware and software products. With another device or network in the EU market, through a regulation that is directly applicable in all EU member states, it makes sense, as the effectiveness of the EU’s defense against cyberattacks may be affected if only one digital product in the chain contains unrelated security features Effective… Although there is general consensus on the need for strong and consistent cybersecurity standards to reduce vulnerabilities in digital products, there is a risk that compliance costs related to the stringent requirements that must be met to bring digital products to market, which must be monitored throughout The life cycle of digital products, may make it difficult for small and medium-sized businesses to compete in the digital market.There is also a risk that it may hindrance to technological progress. Legislators will need to create a reasonable balance of adequate regulation to ensure security against threats while allowing and encouraging the development of new and advanced digital products.”