At the EU level, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communication technology cybersecurity certification (known as the “Cybersecurity Act”) entered into force in June.  The Cybersecurity Act creates a framework for EU-wide cybersecurity certification schemes to be established for specific technology products, processes and services.  The framework comprises a set of rules, technical requirements, standards and procedures for each scheme.

Initially, certification under an applicable EU cybersecurity certification scheme will be voluntary, unless otherwise provided for by EU or Member State law. The European Commission will regularly assess whether certification schemes should become mandatory for certain high-risk products, processes or services.

Earlier this year, the European Telecommunications Standards Institute (ETSI) released a voluntary global standard ETSI TS 103 645 to establish a base level of cybersecurity for connected consumer products (referenced in our previous blog here on the UK’s Code of Practice for Consumer IoT Security).  This standard may provide a basis for future cybersecurity certification schemes under the Cybersecurity Act.

As a next step, the European Commission is holding open consultations and will publish a rolling work programme of EU-wide cyber security certification schemes for specific groups of products, processes and services.

The European Commission is also exploring whether to introduce new laws under the Radio Equipment Directive 2014/53/EU (“RED”) to strengthen the security of connected products. Under the initiative, various policy options are being considered, which include the possible introduction of mandatory laws (in the form of a Delegated Regulation made under RED) that will require connected products placed on the EU market incorporate certain features and safeguards.

The European Commission highlighted in the Inception Impact Assessment for this initiative, that the introduction of a Delegated Regulation under RED will mean that compliance with the mandatory features and safeguards will have to be demonstrated before the product can be placed on the EU market. It also entails an obligation on Member States to submit a notification through Safety Gate (the EU rapid alert system for dangerous non-food products) where a radio-connected product presents a serious risk related to personal data, privacy or fraud.

A public consultation on the various policy options opened on 9 August 2019. You can contribute to the consultation by completing an online questionnaire (until 15 November 2019).

In the UK, the Government has been exploring various regulatory proposals to ensure that consumer IoT products adhere to a basic level of security. A consultation has been published setting out the policy options being considered:

  • Option A: Mandate retailers to only sell consumer IoT products that have a specific IoT security label which tells consumers how secure the product is, with manufacturers to self declare and implement a security label on their consumer IoT products (this is the UK Government’s preferred option);
  • Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice for Consumer IoT Security, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines and ETSI TS 103 645; and
  • Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice for Consumer IoT Security, with manufacturers expected to self declare and ensure that the label is on the packaging.

The consultation closed in June 2019 and the UK Government is currently in the process of reviewing the feedback. The UK Government has flagged that it plans to introduce the IoT security labelling scheme on a voluntary basis later this year, whilst it decides on which measures to take forward into legislation after analysing the feedback received.

We’ll keep you updated on these developments!

Posted by Tracey Bischofberger