CS Nov-Dec 2022
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
legislation<br />
EU CYBER RESILIENCE ACT UNVEILED<br />
GETTING THE BALANCE RIGHT<br />
MIKE NELSON, VP OF IOT SECURITY AT DIGICERT, EXPLAINS WHAT THE EU CYBER RESILIENCE ACT<br />
MEANS, IN THE FIRST MOVE TO LEGISLATE CYBERSECURITY FOR THE INTERNET OF THINGS<br />
The EU Cyber Resilience Act is the<br />
first EU-wide legislation to emerge<br />
that imposes cybersecurity rules<br />
on manufacturers. It will cover both<br />
hardware and software, and applies<br />
to both manufacturers and developers,<br />
making them responsible for the security<br />
of connected devices. The European<br />
Commission states that the regulation<br />
will tackle two issues: "the low level of<br />
cybersecurity of many of these products<br />
and more importantly the fact that many<br />
manufacturers do not provide updates<br />
to address vulnerabilities".<br />
WHAT WILL THE EU CYBER<br />
RESILIENCE ACT REQUIRE?<br />
The devil will be in the details as the<br />
requirements are developed and<br />
released. We anticipate that they will use<br />
non-prescriptive approaches similar to<br />
what we see in other regulations, like<br />
'encrypt sensitive data', 'devices must<br />
have the ability to be updated', 'ensure<br />
integrity of software and firmware' etc.<br />
However, to justify a penalty, they need<br />
to have some measurable approaches.<br />
There will likely be a requirement for<br />
regular updates, as that is one of the<br />
pain points that the European<br />
Commission raised. Sending automatic<br />
updates to a large scale of devices will<br />
be difficult without a solution that helps<br />
manufacturers maintain viability and<br />
automate tasks. Additionally, the EU<br />
Commission has stated that there will<br />
need to be more information available<br />
for consumers to make informed<br />
purchasing decisions and to set up their<br />
devices securely.<br />
HOW WILL THE EU CYBER<br />
RESILIENCE ACT AFFECT IOT<br />
MANUFACTURERS?<br />
IoT device manufacturers could face<br />
massive fines and penalties for noncompliance<br />
with the drafted EU Cyber<br />
Resilience Act. This is one of the first<br />
legislations to require a financial penalty<br />
for non-compliance. The EU is clear<br />
that, with this proposed legislation,<br />
the financial burden of devices will rest<br />
with manufacturers and developers.<br />
Furthermore, products that do not meet<br />
"essential" cybersecurity requirements will<br />
not be allowed to go to market. Thus,<br />
30<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk