telecoms industry

IoT is the next cybersecurity battleground

What’s happened?

The European Commission (EC) has announced the Cyber Resilience Act, creating new rules to ensure greater security for hardware and software products, especially Internet of Things (IoT) devices. Other countries have also increased focus on IoT security, further highlighting that cybersecurity remains the main short-term risk of digitalisation. 

Why does it matter?

IoT devices represent a major risk, because billions of devices are connected to the public internet, and security is not usually the top priority. Back in 2017, a Las Vegas casino was hacked soon after it had installed an internet-connected fish tank, which provided the point of entry for the attacker. The EC’s proposals will put the onus on the manufacturer rather than the user, through new requirements ensuring security by design, and fines for non-adherence. Other countries have also put forward their own rules:

  • The UK, following a voluntary Code of Practice for Consumer IoT Security, has added the Product Security and Telecommunications Infrastructure Bill, which is currently going through Parliament and focuses on security by design;
  • In the US, an Executive Order on Improving the Nation’s Cybersecurity was signed in May 2021, where devices will be labelled based on their level of security. The IoT Cybersecurity Improvement Act was also signed in 2020, which focuses on products purchased by the federal government;
  • China introduced guidelines in October 2021, with the aim of creating IoT standards for software security, access authentication and data security.

This is the third major piece of cybersecurity the EC has proposed since 2019. The EU Cybersecurity Act, passed in 2019, focused on a certification framework and greater powers for the The European Union Agency for Cybersecurity (ENISA). The Network and Information Security (NIS2) directive, still going through the EU’s legislative process, expands the number of companies and sectors which are required to take risk management measures, as well as strengthening enforcement requirements.

What’s next?

As is the case in the European Union, the new Act requires the approval of both the European Parliament and European Council (representing member states), which means it will be amended and might not become an enforceable piece of legislation before 2024 at the earliest. But with greater regulation comes the risk of greater fragmentation, and even extraterritoriality, driving regionalisation of the tech sector.