Smart Industry 2021
Smart Industry 2021 - The IoT Business Magazine - powered by Avnet Silica
Smart Industry 2021 - The IoT Business Magazine - powered by Avnet Silica
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Smart</strong> Business Title Story: The EU Cybersecurity Act<br />
24<br />
We really think<br />
this could be<br />
an added-value<br />
globally – but<br />
we need to do it<br />
right.<br />
Christoph Luykx<br />
Policy director at Orgalim<br />
A New Approach<br />
To improve the internal<br />
market for goods and<br />
strengthen the conditions<br />
for placing a wide<br />
range of products on<br />
the EU market, the new<br />
legislative framework was<br />
adopted in 2008. It is a<br />
package of measures that<br />
aim to improve market<br />
surveillance and boost<br />
the quality of conformity<br />
assessments. It also clarifies<br />
the use of CE marking<br />
and creates a toolbox<br />
of measures for use in<br />
product legislation.<br />
the European Council. Inaction<br />
by Brussels could push individual<br />
countries to bring into force national-level<br />
legislation, fragmenting<br />
the common market.<br />
That calculation has resulted in a<br />
move to use a delegated act from<br />
RED to activate provisions that require<br />
manufacturers of wireless devices<br />
to fulfil cybersecurity requirements<br />
by protecting consumers<br />
from fraud and ensuring their privacy.<br />
Such a move is acknowledged<br />
to have numerous shortcomings.<br />
For a start, it will cover only Internet-connected<br />
radio equipment<br />
and wearable radio equipment<br />
(estimated at around 75 percent of<br />
the connected-device market) and<br />
will not cover connected products<br />
that only use wires. In addition to<br />
excluding non-radio components<br />
(including processors), it won’t<br />
cover the life cycle of the product<br />
(patches) or require disclosure of<br />
vulnerabilities.<br />
Despite its shortcomings, the RED<br />
delegated act is seen as the fastest<br />
way to introduce a cybersecurity<br />
law in the short term, rather than<br />
having to wait for the development<br />
of a new horizonal law. <strong>Industry</strong><br />
groups have identified these ambiguities<br />
in what is to be covered<br />
but they also worry that the regulations<br />
will introduce a mandatory<br />
set of standards and requirements,<br />
only for these to be superseded by<br />
a new law.<br />
“We are completely supportive of<br />
mandatory baseline requirements<br />
under horizontal legislation, or of a<br />
certification scheme [like the CSA]<br />
which is voluntary and is more of<br />
a market-driven mechanism,” said<br />
Alberto Di Felice, director for infrastructure,<br />
privacy and security at<br />
Digital Europe. “What we’re seeing<br />
on the other end of the spectrum<br />
is the RED delegated act. We are<br />
source ©: Euralarm<br />
far more skeptical about activating<br />
that instrument to target cybersecurity.<br />
The potential for overlaps<br />
and inconsistencies is huge.”<br />
An important question is whether<br />
the delegated act will have coherence<br />
with the new horizontal law,<br />
which the European Commission<br />
has indicated is its intention. Da<br />
Silva believes that the rules put in<br />
place by the RED delegated act will<br />
match up new rules at the horizontal<br />
level that are coming, though<br />
overall the new horizontal law will<br />
be much broader in scope.<br />
Overall, there is recognition among<br />
industry groups of the need for<br />
comprehensive regulation governing<br />
cybersecurity – and even its<br />
inevitability, given that the alternative<br />
would be a high degree of<br />
fragmentation – but the hope is to<br />
avoid contradictory or unworkable<br />
rules and develop these within the<br />
NLF, where there is input from industry.<br />
Orgalim, a federation of European<br />
technology industry bodies, has<br />
called for horizontal legislation<br />
under the NLF. Christoph Luykx,<br />
its policy director, says that seeing<br />
such a request coming from industry<br />
may be surprising to a lot of<br />
people. “But it is precisely because<br />
we see a risk of fragmentation,<br />
the increased cost to produce and<br />
manufacture products, the confusion<br />
for the manufacturers and consumers,<br />
that is why we put forward<br />
a proposal for horizontal legislation,”<br />
he explains.<br />
Coherent cybersecurity rules for<br />
the European marketplace can ultimately<br />
help companies gain an advantage<br />
by allowing them to prove<br />
their credentials, both at home and<br />
abroad, believes Luykx. “If we get<br />
this right, and we are coordinated,<br />
and the cost and the bureaucracy of<br />
this is manageable, [manufacturers]<br />
can take cybersecurity into account<br />
from the development of a product<br />
to its rollout and during its lifetime.<br />
So, we really think this could be<br />
an added-value globally – but we<br />
need to do it right and there is still a<br />
lot of work to do.”