Europe To Tackle Cyber in New Law
The European Union (EU) is drafting a groundbreaking directive to tackle cybersecurity and data privacy, as well as the Internet of Things (IoT).
This draft is a direct response to risks, as the text clarifies in its opening sentence: “Hardware and software products are increasingly subject to successful cyberattacks.”
The resolution is an addition to several other directives and impacts those looking at potential sales in the common market with a required “‘appropriate’ level of cybersecurity, the prohibition to sell products with any known vulnerability, security by default configuration, protection from unauthorized access, limitation of attack surfaces, and minimization of incident impact,” explained Jasper Nagtegaal, Dr2 Consultants managing partner.
Another novelty is that reporting breaches to authorities within 24 hours of the mishap is extended from the current focus on personal information and critical telecommunications infrastructure. Additionally, importers and distributors must inform the government or manufacturers of cybersecurity vulnerabilities and take corrective actions, according to the proposed text.
“Incident reporting can play an important role in informing actions to both respond to incidents, but also contain and prevent further impact from the threat or vulnerability,” wrote Sebastian Gerlach, senior director, Global Public Policy, at Palo Alto Networks, a consultancy.
This legislation follows a report from the EU’s executive, the European Commission, that detailed how, in the five years to 2020, cyber crime almost doubled to $5.8 trillion globally. The new regulation not only targets persons or groups breaking the law but also adversarial state actors in a context where some analysts believe it could be fast-tracked for approval at record speed for the 27-nation block.
There is a series of safety measures required for technologies split into two levels.
The first category is for browsers, password managers, anti-viruses, firewalls, virtual private networks, network management, systems, physical network interfaces and routers and includes all operating systems, microprocessors and industrial IoT.
The second category is reserved for high-risk products such as desktop and mobile devices, virtualized operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use, according to Nagtegaal.
“The main difference between the two categories is the compliance process,” Nagtegaal wrote in a note.
According to the European Commission’s official document on shaping Europe’s digital future, the security standards are left relatively open, and four specific objectives were laid out:
- ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
- ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- enhance the transparency of security properties of products with digital elements, and
- enable businesses and consumers to use products with digital elements securely.
These objectives were further clarified in an annex, where high-security settings are mandatory, starting at the design phase for all things digital. Additionally, all “digital elements shall be delivered without any known exploitable vulnerabilities.” Therefore, if an issue is known to the distributor and the distributor still sells the digital goods, all liability falls on that side.
“Consumers expect the products they purchase to be safe and secure. Hence, creating greater awareness of the importance of these security requirements in products will result in customers considering key security criteria when making purchasing decisions,” Nagtegaal noted. Products will have to be labeled to fully inform buyers of the safety thresholds in their purchase.
However, such a load on suppliers has already created friction.
“The industry also warned that the legislation should encompass a clear definition, considering differences in the development, functionality and use of digital products. Different sectors also ask the commission that it should consider existing vertical legislation for specific sectors and/or product groups,” Nagtegaal said.
When harmonizing the regulations among individual countries in the block of over two dozen jurisdictions, issues like cybersecurity are complex. For example, the International Telecommunications Union Global Cybersecurity Index places Estonia at the top of the list with a score of 99.48 and the Czech Republic with 74.37, below Moldova or, for example, Rwanda.
Another factor is added costs to budding businesses.
“Adding essential cybersecurity requirements risks excluding [small and medium enterprises] from the market,” Nagtegaal explained.
This regulation adds another layer of expense as it mandates regular testing to stay on top of product vulnerabilities.
The current consensus text leaves issues unresolved. Among them is software as a service (SaaS), which is not currently covered by this regulation. Still, Denmark, Germany and the Netherlands are pushing for this to be covered within these requirements.
This proposal laid out its argument in an official publication, by saying that “many digital products depend on, and interlink with, a wide array of other digital products, processes and services, even when this is not immediately visible. With continued digitization, this will only increase. The distinction between different digital services such as SaaS, apps, software and cloud services is not always clear.”
These countries point out that leaving SaaS out of the security provisions may leave an open flank in integrated technology services using these tools.
The different points of view within the EU add further dimensions to these discussions.
“Some governments, including Germany and the Netherlands, treat cybersecurity as a question of homeland security, while others, such as Latvia and Denmark, consider it a question of defense. Still, other countries, including Finland and Italy, see cybersecurity as a matter of commerce and communications,” analyzed Luukas K. Ilves, Timothy J. Evans, Frank J. Cilluffo and Alec A. Nadeau in a paper addressing these issues.
The regulation also tackles privacy, an area where the EU has led with stringent protections.
Among the data security requirements, there is a second limitation to how this information is used. Industry participants should “minimize data processing to data that is adequate, relevant, and necessary in relation to the intended use of the product,” assessed David Dumont, partner at Hunton Andrews Kurth LLP.
The penalties for noncompliance with all requirements could amount to $16 million or 2.5% of the annual turnover, according to the regulation.
Despite the stringent standards, security concerns have prevailed. Among legislators’ first concern was preparedness. “If we are being attacked on an industrial scale, we need to respond on an industrial scale,” said member of European Parliament Bart Groothuis.
This is based on a previous strategy adopted for the block by the European Commission, and according to the document, its aims are:
- resilience, technological sovereignty and leadership;
- operational capacity to prevent, deter and respond;
- cooperation to advance a global and open cyberspace.
The Cybersecurity Resilience Act needs to complete full passage by the European Parliament. After that, the text allows companies two years to prepare and adapt.
While officially, the legislature has up to four months to pass a law once it reaches the floor, getting to that point could be a long journey. The European Commission’s president, Ursula von der Leyen, has stressed this as a priority in her agenda. Von der Leyen has been vocal about this issue in her social media and her State of the Union Speech in 2021.
On that occasion, she said: “We cannot talk about defense without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cybersecurity.”
Despite the fact that the norm is not yet passed and the approval process in the block could take months, when that is completed, the consequences will be felt around the world, “given the global standing of the European market, this regulation will have a much greater impact than ‘the internal market’ and affect global producers,” the IoT Security Foundation, a U.K.-based organization said in a statement.
While approval is not dated yet, some argue the process could end up surprising many in the industry.
“Given that we are more than halfway through the European Commission’s mandate, the aim will certainly be to agree [to] the final text ahead of the European Parliament elections in May 2024,” wrote Julia Utzerath, Theresa Ehlen, Christoph Werkmeister and Eugene McQuaid, lawyers at Freshfields, Bruckhaus, Deringer.
The previous regulation was the “Directive on security of network and information systems,” or NIS Directive, of 2016, and is the standing cybersecurity law in the block.