How the EU’s proposed IoT cybersecurity law could affect device makers

The US may be plodding its way through potential tech regulations, but across the pond in the European Union, regulators continue to charge headfirst into reining in tech.

After landmark legislation—like the General Data Protection Regulation (GDPR), which went into effect in 2018—and the Digital Services Act, which gained final approval at the beginning of the month, the EU is now turning its attention to the many devices that make up the internet of things.

The European Commission proposed the Cyber Resilience Act in mid-September, which would mandate stronger cybersecurity protections for IoT devices. Specifically, connected device makers would be required to inform authorities and customers alike in the event of a cyberattack and have the capacity to quickly address incidents.

The law would be the EU’s first cybersecurity regulation for the IoT industry, which the proposal estimates is worth nearly €1.5 trillion. If the bill does pass, it would have implications for multinational companies operating in the EU, and it could potentially help lead to similar measures in the US, per Madeline Cheah, principal security technologist at technology consulting firm Cambridge Consultants, like what happened with California’s GDPR-inspired privacy law.

“Having a law which will make sure that you have to tell what sort of data any device is going to collect, this would be very useful for customers and also to push manufacturers to be careful what kind of data they are collecting,” Vijay Prakash, researcher at New York University’s Tandon School of Engineering, told Emerging Tech Brew. “In a way, it’s a great stepping stone from the GDPR.”

Assessing impact

The proposed legislation comes in a bid to combat cybercrime, which was estimated by a European Commission impact assessment to cost €5.5 trillion annually worldwide by 2021.

If it goes through, the law would go into effect in 2024, which Prakash said should be enough time for companies to adjust to the new rules. But Prakash emphasized that, for its part, the government will need to institute the infrastructure necessary to help ensure compliance.

The proposal estimates that compliance will cost “software developers and hardware manufacturers” an aggregate €29 billion and stipulates that “noncompliance with the essential cybersecurity requirements” will lead to fines of up to €15 million or 2.5% of the previous year’s global revenue, depending on which is higher. Additionally, the European Commission will have the power to recall or ban devices that are found to be noncompliant.

Although the US does not have a comprehensive IoT regulation like the one proposed in the EU, it did pass a law in late 2020 that sets cybersecurity standards for IoT devices purchased by the government.

Cheah said that companies could choose to embrace the EU’s proposed regulations as a way to potentially garner customers’ confidence and trust in their products.

“It’s a case of viewing it more as an investment. It’s not just the fact that it’s an extra thing to do, it’s also things that will help gain you a customer’s trust, and anything that gains you a customer’s trust is good,” Cheah said.

Thales Group, a French multinational IoT manufacturer for the aerospace and defense industries, told Emerging Tech Brew in an emailed statement from spokesperson Matthew Cox that it “positively welcomes such EU regulations which aim to enhance the cybersecurity features of IoT devices” and is “well positioned to support any company” looking to implement a cybersecurity strategy.”

“Regulations are key to provide guidance and give direction,” Cox wrote. “Our experts are anticipating regulations and are part of several security standards working groups.”

Cheah also said regulations like this can give much-needed clarity to companies looking to invest in cybersecurity.

“What the regulation actually gives is clarity because IoT is so broad and wide-ranging and so many different technologies,” Cheah told Emerging Tech Brew. “Especially if a company is new to it, for example, or they have made investments in the past but didn’t know which direction to invest further in or understand which market they should move into, regulation can provide that clarity.”