Cyber-resilient IoT: Towards horizontal cybersecurity requirements
Smart Home, Smart Mobility and Industry 4.0: from everyday life to mobility and production in factories, ever more areas of our daily life are becoming smarter, i.e. more digital and thus more networked. According to current estimates, the number of connected devices worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017. The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses numerous challenges with regard to safety, security and privacy.
These risks can be countered by targeted technical, regulatory and behavioural measures (such as security-by-design). German industry is already investing in the cybersecurity of products, processes, people and services. Nevertheless, one hundred percent cybersecurity cannot be achieved, let alone guaranteed. This is the case especially as attack vectors are constantly changing, newly discovered vulnerabilities are identified, and because human misconduct can never be completely avoided.
Cybersecurity for connected devices
Increasingly home devices, such as fridges and TVs, are connected to the Internet – and thereby become “smart”. However, they are also exposed to the potential threats from cyberspace. In order to ensure a high degree of cyber-resilience adequate to the potential risks, German industry is developing cyber-resilient products and services.
For companies, coherent legal provisions are crucial for facilitating the development and placing on the market of products that adhere to the requirements stipulated by law. Therefore, BDI – together with DIN and DKE – advocate the introduction of horizontal cybersecurity requirements based on the principles of the New Legislative Framework. We thereby expressly welcome the European Council’s conclusions on the cybersecurity of connected devices. The Council underlines the need for complementary and comparable requirements for cybersecurity functionalities of IT systems and IT components.
While compliance with the requirements stipulated in the schemes of the EU Cybersecurity Act is a priori voluntary, mandatory requirements for products are only possible via an legislative act based on the New Legislative Framework (NLF). Horizontal requirements are preferable over integrating cybersecurity requirements into vertical, product group-specific acts. Only a horizontal approach avoids fragmentation of cybersecurity requirements, and at the same time, ensures coherence of requirements.
Cybersecurity is highly dynamic, as threat vectors constantly change, but cybersecurity measures are also constantly developed. Hence, to achieve overarching cyber resilience, only generally binding protection targets should be defined by law. These should then be specified by harmonised European standards (hEN), that reflect the dynamic development of the state of the art.
Trust in digital technology: CE needs to stand for cybersecurity
The New Legislative Framework focuses on the placing of a product on the European Single Market. The aim is to ensure that all products and services placed by manufacturers and importers on the European Single Market meet the requirements for safety and security. This helps to guarantee safe commissioning of these products.
Products that adhere to the requirements of European NLF-based standards carry the CE marking. The NLF provides transparent conditions for conformity marking and declaration of conformity. The application of the CE marking has been tested and established for many years. Private and commercial users recognise the compliance with corresponding requirements by the CE marking. By combining conformity assessment and market surveillance, the CE marking acts as an anchor of trust and confidence for private and commercial customers alike.
BDI, DIN and DKE urge policy makers to propose horizontal NLF-based cybersecurity requirements. Thereby, products placed on the European market carrying the CE marking would not only guarantee a high level of physical safety and security but also a risk-adequate level of cyber-resilience. Thereby, the CE marking would be transferred into the digital age.
What does this mean for the EU Cybersecurity Act?
Currently, cybersecurity requirements are developed in schemes under the EU Cybersecurity Act. BDI, DIN and DKE argue that these schemes are not adequate to address cybersecurity holistically. Only a horizontal approach based on the NLF can guarantee an overlap-free and gap-free regulation of cybersecurity across product-groups. We therefore propose a bridge between these two legislative acts.
With a bridge between the cybersecurity requirements of a product-centred horizontal NLF-based EU legislative act and the schemes under the EU Cybersecurity Act, the two approaches can complement each other. Thus, coherent cybersecurity requirements can be guaranteed for the products falling into the scope of the two legislative acts. Hence, while the EU Cybersecurity Act would not be abolished, harmonised European standards under a future NLF-based legislative act on cybersecurity would prevail.