The European Commission has just presented this Thursday, September 15, a legislative proposal to strengthen the IT security of digital products, whether hardware or software. This text, which covers a wide field, must complete the NIS 2 directive without encroaching on its scope, SaaS software for example not being covered. But above all, it must make it possible to tackle the acute problem of the vulnerability of connected objects.
As the largest digital single market in the world, it is our responsibility to #protect our consumers & companies against cyber attacks ??
From now on, any connected device, app or software on our EU market will have to be “#CyberSafe by design” https://t.co/kdphmYpKTa pic.twitter.com/biS30lKkNj
— Thierry Breton (@ThierryBreton) September 15, 2022
From overly vulnerable CCTV cameras to gas pumps and refrigerators, examples of IT security issues affecting connected objects are unfortunately well known. Whether for cost reasons or ignorance of the subject, the manufacturers of these products still too often overlook cybersecurity. At the risk that their machines do not deliver valuable personal data too easily to malicious hackers or that they serve as support for other computer attacks.
“Strong guarantees” for consumers
Announced more than a year ago by President Ursula von der Leyen, the legislative proposal must now be studied by the European Parliament and the Council of the European Union. With this text, which should standardize regulations on a European scale, consumers will be able to have “the assurance that the connected objects and software that we buy offer solid guarantees in terms of cybersecurity”, assures Margrethe Vestager, Vice-President in charge of digital at the Commission.
“Most hardware and software products are not subject to any cybersecurity obligation,” also notes European Commissioner Thierry Breton. “By introducing cybersecurity by design”, the text proposed by the Commission must contribute “to protecting the European economy”, he adds, citing examples ranging from computers to telephones, including household appliances, virtual assistive devices, cars and toys.
two segments
A wide scope divided into two segments by the European Commission. First of all, the bulk (90%) of the digital products targeted, for example a connected speaker, a hard drive or a game, will fall under a self-assessment regime. Then, the 10% of the most critical products, such as a password manager, a firewall, or an operating system, will have to be evaluated by third parties or a national agency.
Concretely, the new text will make it possible to introduce cybersecurity obligations for manufacturers, encouraged for example to launch bug bounty programs. The reform also recommends setting up monitoring obligations, at least for five years, for the management of vulnerabilities. This will involve, for example, the reporting of active or corrected vulnerabilities, as well as that of incidents observed. The European Commission also wants to impose updates to be made available for at least five years.
New missions for Enisa
The European Cybersecurity Agency, Enisa, should be involved, in particular by collecting reports from manufacturers or by carrying out security assessments of digital products. Enisa will also be responsible for drafting a technical report every two years on emerging trends in cybersecurity.
Finally, the text of the European Commission provides for improving consumer information. The current lack of transparency “prevents them from choosing products with adequate cybersecurity properties or using them in a secure manner”, regrets the community executive.
Sanctions up to 15 million euros or 2.5% of worldwide turnover
To enforce these future obligations, the European Commission expects administrative penalties of up to €15 million or up to 2.5% of annual worldwide turnover for the highest penalty regime. Failure to comply with future obligations could also lead to the banning of the covered products in the European single market.
The European Commission estimates that these new bonds should weigh up to 29 billion euros. An amount to be compared to the expected reduction in the cost of cyber incidents, estimated at a range of 180 to 290 billion euros. For the Community executive, these obligations could also subsequently become a competitive advantage for European manufacturers for export.