Connected devices: Europe introduces new cybersecurity certifications

The European Parliament, Council, and Commission reached a political agreement on legislating to improve cybersecurity on December 10, 2018. First proposed in 2017 as part of a range of measures designed to tackle cyberattacks and boost cybersecurity in the EU, the legislation establishes a framework to create European cybersecurity certificates for products, services, and processes.

Connected devices are becoming increasingly prevalent in our lives. They help us to control access to our home, adjust the temperature in each room, and even track progress made in keeping fit. But with an expected 20.4 billion of these devices worldwide by 2024, ensuring that cybersecurity is not compromised for individuals and businesses alike is quite a challenge.

Trust and confidence – the two fundamental pillars

Incorporating security into the design of the devices is crucial, according to researchers at Kaspersky. At the moment, this is not being done enough. A report by ForeScout suggests that hackers can infiltrate a connected device in under three minutes. Most of these devices are running on out-of-date systems, making them ill-equipped to fight potential attacks.

“Trust and security are fundamental for our Digital Single Market to work properly,” said Vice-President Andrus Ansip of the European Commission, in charge of the Digital Single Market. The botnet Mirai, which recently caused widespread Distributed Denial of Service (DDoS) attacks, showed just how large an impact that security vulnerabilities can have in connected devices. Cyberattackers have used default passwords to control and infiltrate security cameras and other devices, allowing them to launch numerous attacks.

Boosting the security of connected devices

In early December 2018, EU negotiators agreed to boost the security of connected devices, paving the way for dedicated European certification schemes to be produced. “This is a ground-breaking development as it is the first internal market law that takes on the challenge of enhancing the security of connected devices, Internet of Things devices as well as critical infrastructure through such certificates,” the European Commission stated. This framework seeks to incorporate security features into the early stages of technical design and development.

The Commission is expected to publish a list of products which would benefit from compulsory certification by 2023. “The new rules will help people trust the devices they use every day because they can choose between products, like Internet of Things devices, which are cybersecure,” the Commission announced.