EU to introduce strict IoT security regulation

The EU is set to introduce a law that would require smart devices to follow strict cyber security rules, on threat of a device ban.

Internet of Things (IoT) devices such as smart home controls or fitness trackers are becoming more ubiquitous, making life more convenient while also increasing the vectors through which threat actors can perpetrate cyber crime.

The proposal, which Reuters reports is titled the Cyber Resilience Act, will be formally put forward on 13 September. Once law, smart device manufacturers will be required to review the risk profiles of their products and fix any discovered vulnerabilities.

In the event of a problem or threat being discovered, the law will also require companies to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours.

Companies that fail to abide by the provisions laid out in the legislation will be faced with serious consequences, with the higher value of either €15 million or 2.5% of global turnover proposed as the upper limit for fines. Products that are considered to violate the law could also be banned from EU sale altogether.

Researchers have long been concerned over the security risk posed by IoT devices. In 2021, Kaspersky researchers reported that over 1.5 billion attacks had been made against such devices in just the first six months of the year, a more than 100% increase from the same period in the previous year.

"Given the unsustainable “react and patch” approach to cyber security today, it is imperative that manufacturers move to ensure products are delivered more secure by default," stated Professor John Goodacre, director of the UKRI’s Digital Security by Design challenge and professor of computer architectures at the University of Manchester.

"This new EU bill along with the UK government's PSTI bill are clear indications that non-commercial incentives are required to move the burden of cyber defence from the user to earlier in the supply chain.

"The UK government also has a UKRI programme, Digital Security by Design, that moves this burden even earlier in the supply chain by investigating how the actual computer chips in all digital systems can protect users from vulnerability exploitation by design."

The benefits of the law could be wide-reaching, enabling consumers and businesses alike to use their devices without fear of failure or the use of IoT connectivity as an escalation point from which to undertake attacks with malware or ransomware.

In the proposal paper seen by Reuters, lawmakers argue that the introduction of the Cyber Resilience Act could cost companies as much as €29 billion per year — but that this would save an estimated €290 billion in annual damages.

Security firms specialising in smart device assessment could also see a major boost as a result of the law. In March, Meticulous Market Research predicted that the IoT security market would hit $59 billion by 2029.

Felixstowe Docks in Suffolk, the UK’s busiest port, announced plans earlier this year to outfit the quay cranes used to move shipping containers around with 5G IoT sensors, to reduce equipment failure and optimise port efficiency. If hit by the kind of breach that other IoT devices have suffered, the knock-on effect to supply chains across the UK could be catastrophic.

This article was updated to include a quote from Professor John Goodacre.