IoT Device Makers that fail to comply with new European Cyber Law face fines, recalls, product bans

Written By Andrew Opala
 
 

Manufacturers have less than 12 months to comply with stringent new EU Cyber Resilience Act Rules

Learn more about NXM’s CRA pre-compliance audit.

By Andrew Opala

In a world plagued by ever increasing cyberattacks, the European Union is on track to hold smart device makers accountable for mismanagement, loss, corruption and misuse of consumer data, forcing IoT manufacturers and network service providers to abide by strict cyber security rules. Manufacturers that violate the law face product recalls, hefty fines, and the prospect of being banned from the EU altogether.

The recently proposed (September 2022) European Cyber Resilience Act (CRA) is the culmination of a consultative process that began in 2019 to formulate guidelines on personal security and data protection in the unregulated World of the IoT. If passed, obligations to report data breaches will be enforceable as early as 2023, followed in 2024 by manufacturing obligations to significantly enhance device and data security.

Manufacturers will be required to “assess the cybersecurity risks of their products and take appropriate measures to fix problems” prior to being sold in EU member countries. In the event a problem is discovered, device makers must notify the European Union Agency for Cybersecurity (ENISA) within 24 hours and take steps to remedy the issue.

Proposed security requirements for product design and development include encryption, data confidentiality, and abiding by strict data usage policies.

The Impact

Growing public concern has led to regulatory initiatives to protect personal data and secure IoT devices that is analogous to seat belts and safety laws enacted to make their use compulsory in cars. In both cases, legislation was passed and requirements implemented by automakers following a period of experimentation and consultation.

Seat Belt Timeline

Volvo is credited with being first to add seat belts to vehicles in 1959, further enhancing its brand promise of being the world’s safest car maker.  As early as 1961, legislation appeared that all newly manufactured cars had to have seat belts. By the 70s, seat belts had become mandatory in all new US vehicles.

Cybercrime and IoT Timeline

The European Union Agency for Cybersecurity (ENICA) was founded in 2004 to help guide EU cyber policy. The passage of the Cybersecurity Act of 2021 further strengthened the agency which was tasked with ensuring the trustworthiness of IT products and services sold in the EU. Prior to this, the culmination of European concerns over privacy was embodied in the 2016 General Data Protection (GDPR) Act. 

With the ubiquity of IoT Devices, the ENICA began a consultative process in 2019 regarding personal data privacy which expanded to encompass third-party data gathered by IoT Devices. Its findings are reflected in the Cyber Resilience Act (CRA).

This EU initiative is well-timed as the necessary security building blocks are rapidly reaching maturity. Arm has led the way in introducing security support in their industry-dominant IoT processor designs. Security software is rapidly catching up by migrating away from myriad proprietary chip vendor approaches towards a common open source security framework undertaken by the industry-supported Linaro Trusted Firmware projects.

The United States has also enacted a number of laws at the federal and state levels governing personal data privacy. The first IoT related law in the United States was passed in California in 2020, coinciding with the passage of a federal law known as the ​​IoT Cybersecurity Improvement Act.  Similar laws were passed in other states that year as well.  The law made it mandatory for all government purchases to be compliant to the security standards commercial institutions were expected to be measured by.

A Presidential Executive Order (EO) 14028 was issued in May 2021 which focuses on  improving the Nation’s Cybersecurity.  It charged multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. The EO also assigned NIST to work on labeling efforts related to consumer Internet of Things (IoT) devices with the goal of encouraging manufacturers to produce – and purchasers to be informed about– products created with greater consideration of cybersecurity risks and capabilities.

How far along are we?

A comparison of these timelines shows that the IoT industry is on the cusp of a rapid shift to security becoming mandated and integral to all future smart product designs:

Although solutions are available today, IoT device security is currently a niche market with only 4% of deployed IoT products considered trustworthy, according to Global Platform research. Just as safety mandates came to shape the auto industry, a new wave of security enabled devices is poised to enter the market over the next 4-5 years. Companies that have a product offering that conforms to new legal regimes will enjoy enhanced brand appeal among security conscious buyers. Slow followers will lose out because of poor architecture and the inferior quality signaling of their products.

Firms specializing in IoT security are well positioned to benefit from the new law, with the IoT security market forecast to hit $59 billion by 2029, according to Meticulous Market Research.

Get Prepared Now

Under the proposed EU rules, there are nearly 100 IoT design and deployment guidelines offered by ENISA that impact key areas of IoT product design and deployment. Given that obligations for manufacturers to significantly enhance device and data security are expected to come into effect by 2024, time is of the essence.

The Road Ahead

At NXM, we have built the first easy-to-use, hassle-free security SDK that enables rapid CRA product compliance. Our NXM Autonomous Security™ and NXM TrustStar™ (secure IoT supply chain management) platform provides manufacturers with a highly cost effective product design, manufacturing and lifecycle cyber security solution for creating the world’s most trustworthy devices.

Our platform impacts compliance design activities in the following ways:

 

For more information or to request a free security consultation, please click here.

Learn more about NXM’s CRA pre-compliance audit.

About the author: Andrew Opala is CEO of NXM Labs Inc. He can be reached at andrew@nxmlabs.com

Andrew Opala