The EU is set to reach an agreement for a new law relating to cybersecurity requirements and vulnerability handling for Internet of Things (IoT) devices.
In a separate process, the UK has passed a similar bill which matches the proposed EU legislation.
Cyber Resilience Act (EU)
The EU legislation – The Cyber Resilience Act – covers two main objectives and four specific objectives:
Main Objectives
- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Specific Objectives
- ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
- ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- enhance the transparency of security properties of products with digital elements, and
- enable businesses and consumers to use products with digital elements securely.
Clarification of scope
In a meeting of the main EU political groups yesterday (5th July), clarification of certain technologies and processes were agreed.
Remote data processing solutions integrated into the connected devices, such as cloud-enabled functionalities for smart home appliances, are now covered in the regulation’s scope.
On the other hand, websites not inextricably linked to a product with digital elements or cloud services outside the responsibility of the manufacturer, should not be considered as remote data processing solutions under this regulation.
Free and open-source software outside of commercial settings is excluded from the scope. Commercial settings are where developers employed by commercial entities or their employers can exercise control over the modifications that are accepted in the code base.
Supply chain responsibilities
Manufacturers of devices which fall under scope of the legislation will have to conduct due diligence to ensure compliance with the cybersecurity requirements on any integrated components from third parties, including free and open-source software.
If the manufacturers discover a vulnerability in carrying out this due diligence, they should address it and inform the developer of the component of the security patch they applied.
Manufacturers of components are obliged to provide the final product manufacturer with all the relevant information to comply with the regulation free of charge.
The responsibility to comply with the new cybersecurity law also applies to any economic operator that substantially modifies the product. The Commission is currently tasked with providing guidance on what constitutes substantial modifications.
Support period
The definition of the support period was changed to include the timeframe during which manufacturers are expected to handle vulnerabilities.
Manufacturers should make the support period proportionate to the expected product lifetime and provide market authorities with the relevant information upon request. Authorities should actively ensure that the manufacturers are correctly determining the support period.
Product Security and Telecommunications Infrastructure Act 2022 (UK)
As mentioned, the UK has passed a similar legislation to the EU with the creation of the “PSTI” Act.
This is a “Bill to make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.“
Work leading up to the creation of the Bill started in 2018 with the release of the Code of Practice for Consumer IoT security, and whilst the code contains sound advice for manufacturers of IoT devices, as the name suggests, is only a code and in no way legally binding.
The code contains 13 guidelines, many of which now form the PSTI bill.
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surface
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor systems telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
The Bill originated in the House of Commons in 2021 and was given Royal assent on the 6th December 2022. Full detail of the new legislation can be viewed here.