The European Commission has set new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of mobile products, notably phones. Also covered are tablets and other products capable of communicating over the internet; toys and childcare equipment such as baby monitors; besides wearable equipment such as smart watches or fitness trackers
Thierry Breton, Commissioner for the Internal Market said: “Cyber threats evolve fast; they are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market.”
Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality. Wireless devices and products will need to have features to guarantee the protection of personal data. As for the protection of children’s rights, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data. And wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
Comment
Ian McShane, CTO, at the cyber firm Arctic Wolf said: “For years now, bad actors have been able to exploit the appalling and non-existent security controls within various IoT devices widely used by businesses and their workforces. Even now in 2021, hundreds of thousands of these devices are being shipped without any real concept of security, meaning many are still actively vulnerable to some form of hijacking.
“Therefore the European Commission’s new cybersecurity guidelines for these devices is definitely welcome and overdue, but I am sceptical when I see words like ‘prevent’ and ‘guarantee’, as there are no security controls that provide 100 per cent protection. It will also be interesting to see which controls will in fact be enforced, and whether these will still also be relevant when the legislation is introduced.
“Ultimately, the word ‘guidelines’ gives the impression these will be optional for manufacturers to follow, rather than mandatory. When we live in an era where governments are so disconnected from the reality of security and technology, I’m not going to hold my breath on this having a tangible impact on improving the cybersecurity posture of businesses any time soon.”
