Tech & Sourcing @ Morgan Lewis


The European Union Agency for Network and Information Security (ENISA), along with three semiconductor companies, recently released a position paper proposing a position for the European Commission (EC) on security and privacy standards as they relate to Internet of Things (IoT) devices. ENISA is an agency established by the European Union to assist the EC, its member states, and businesses in addressing, responding to, and preventing cybersecurity issues. The paper points out that as IoT devices expand into all aspects of everyday life, including critical infrastructure and health systems, cyberattacks are becoming more threatening and more risky. The paper includes four key recommendations.

First, the EC should define a framework to ensure minimal security requirements for connected devices. This framework should include a baseline security certification addressing IoT devices, commercial off-the-shelf (COTS) products and services, and products with short life cycles. The framework should also include a European trust label for connected devices that clearly indicates to consumers that the products meet established security guidelines.

Second, the EC should ensure that reliable processes and services are being developed and implemented by IoT manufacturers. The EC should promote awareness of existing security features such as encryption and strong authentication, and support the continued study of and improvement upon such existing security features.

Third, the EC should encourage the development of minimal requirements and common principles that should also be considered in future revisions of existing legislation and new legislative initiatives. In developing these requirements and principles, commonalities should be used across various sectors of the economy (e.g., healthcare, energy, transportation) to minimize the amount of standards for similar certifications. The requirements and principles should also take into account safety where human lives would be endangered by cyberattacks (e.g., cyberattacks in the automotive or healthcare sectors).

Lastly, the EC should strive to create a level playing field, which could include a “Digital Security Bonus” as a reward for implementing good security practices, as well as an enforceable set of penalties for dealing with vendors that abuse established practices or deliver counterfeit products.

Whether the EC adopts any portion of the proposal remains to be seen. In a post last fall, we noted there was growing concern by members of US Congress over regulation of IoT devices. In the United States, both the Federal Trade Commission and the Department of Homeland Security have issued guidance to IoT manufacturers, but compliance with such guidance is voluntary. We will provide updates on this topic as new information becomes available.