08 Sep 2021

New study finds gaps in Commission’s approach to IoT cybersecurity

A new DIGITALEUROPE study on cybersecurity of the Internet of Things (IoT), published today, finds that the European Commission’s current fragmented approach to product cybersecurity leads to security risks and legal uncertainty.

The study – based on interviews with 18 standards experts – concludes that a new, horizontal law for cybersecurity of connected devices is needed, together with a timeframe that allows for harmonised standards for cybersecurity to be developed.

Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE, said:

“There will be almost 30 billion connected devices by 2026 and securing them will be the next big digital challenge. Without proper rules, appliances like cameras or coffee machines are vulnerable to hackers, endangering Europeans and providing easy access for larger cyberattacks.

Most cybersecurity risks for connected devices are similar, yet the Commission’s current approach proposes different rules for different devices. Our study clearly shows that comprehensive horizontal rules for all connected devices should be a priority for Europe, focusing on both product and organisational requirements.

We must absolutely avoid hurdles in the design and development of cybersecure connected products years from now. This is why, in addition to horizontally applicable rules, we need sufficient time to develop the necessary harmonised standards to support products’ technical compliance.

Europe is currently a leader in product compliance thanks to standards – getting it wrong now would endanger our future leadership in cybersecurity.”


Key findings and recommendations

  • 70 per cent of baseline cybersecurity requirements are common across all connected products. New, horizontal legislation is therefore most appropriate to tackle this.
  • 94 per cent of interviewed experts find that organisational requirements, such as cybersecurity management rules, are essential in addition to physical product requirements, such as passwords (56 vs 44 per cent). By contrast, existing product legislation mostly focuses on product requirements alone. For this reason, existing product legislation should not be used to address cybersecurity. Or if we must, it should be tightly focused on product-related requirements.
  • All interviewed experts agree that defining baseline cybersecurity requirements for all connected products would be crucial to improving their current low level of cybersecurity. However, developing appropriate harmonised standards will take at least five years. Policymakers should therefore allow for sufficient time and maximise the link between legislation and standards.

About the study

DIGITALEUROPE’s new study Setting the standard: How to secure the Internet of Things, based on interviews with 18 standards experts, provides recommendations for how EU product legislation and harmonised standards should work together to ensure the cybersecurity of connected products.

The study comes at a moment when 12.4 billion IoT devices are estimated to be connected around the world (expected to more than double to 26.4 billion by 2026). This rapid growth and the cybersecurity risks it generates have led the Commission to include a series of cybersecurity provisions and requirements across a myriad of regulations, from radio equipment, to machinery, to product safety.

In the study, the interviewed experts have found that this fragmented approach can actually lead to security risks in connected devices, which is instead largely dependent on organisational and administrative requirements, such as cybersecurity management rules (56 per cent vs 44 per cent for physical product requirements, such as passwords).

DIGITALEUROPE recommends instead that the Commission should prioritise new, horizontal cybersecurity legislation applicable across all connected products and set a realistic timeframe for standards organisations to develop the necessary harmonised standards, thus maximising the link between legislation and standards.

Full report

Read DIGITALEUROPE’s study “Setting the standard: How to secure the Internet of Things” here.

FOR MORE INFORMATION, PLEASE CONTACT:
Chris Ruff
Director for Political Outreach & Communications
20 Nov 2024 Policy Paper
Legitimate interest: One of six legal bases to process personal data
20 Nov 2024 Policy Paper
Copyright and AI: For effective implementation of existing rules
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept