Navigating shifting tides: Government actions on IoT security in Europe

Microsoft

Jun 29, 2022

Government regulation of IoT is relatively new and still taking shape, creating a complicated and dynamic regulatory landscape for both domestic and global markets. Given the extended timelines for IoT development, procurement, deployment, and operation, IoT decision makers have a real challenge: how will decisions you make today hold up against governance yet to come? This blog series examines the frameworks and processes that governments rely on, and provides questions to help you better evaluate the choices you’re making today.

In our April blog post, Navigating shifting tides: How will government actions on IoT security impact the decisions I make today?, we provided an overview of the rationale behind government actions on IoT security, the regulatory tools at their disposal, and the questions you should ask on how they might impact your IoT solution. This second post in the series focuses on government action and regulation in Europe. Future posts will provide details for other regions and/or countries with developing IoT regulation.

Navigating shifting tides: Government actions on IoT security in Europe

An increasing number of governments are trying to actively shape the IoT security landscape through various means that range from voluntary guidelines and best practices, standards, certification, and labeling programs, to mandatory requirements and legislation. Building on framework introduced in the first post of this series, our goal for this post is to provide you with an overview of how IoT policy developments are progressing specifically in Europe.

Europe often leads in regulating the technology sector

It didn’t come as a surprise that Europe was the clear first choice in survey results. The European Union (EU) has an established record of leading change in the global policy landscape and regulation of the technology sector. For example, the General Data Protection Regulation (GDPR), implemented in May 2018, has had a significant effect on the advancement of individuals’ controls and rights over their data compared to prior privacy regulation. Several countries outside the EU have adopted similar or comparable data privacy laws, including the California Consumer Privacy Act (CCPA).

In the context of IoT security, the influence of Europe’s regulatory action does matter to IoT solution designers, builders, and operators: there are signs that certain policy developments on IoT security in Europe have already started to shape government actions in other countries. For example, The European Telecommunications Standards Institute (ETSI) standard ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements) has arguably already become a focal point defining security requirements in the IoT consumer space. Finland, Singapore, and the United Kingdom (UK) have already taken based on this European standard, ranging from consumer labels to draft legislation with potentially mandatory requirements (more below).

ETSI EN 303 645 as an emerging center of gravity

Industry voices are important and can be influential to regulation, but, as in the previous blog post, we will only focus on actions by governments or forums in which industries act as stakeholders (e.g., standards or certification bodies). This blog post is not an exhaustive list of all actions in Europe, but instead focuses on those that, from our perspective, have the most significant traction within the policy landscape.

In the category of voluntary guidelines and best practices, the UK’s Code of Practice for Consumer IoT Security stands out as a very influential government action with broad impact through ETSI EN 303 645, described below. Published in October of 2018, the code provides guidance for manufacturers of connected consumer devices. It contains thirteen outcome-focused guidelines:

1) No default passwords
2) Implement a vulnerability disclosure policy
3) Keep software updated
4) Securely store credentials and security-sensitive data
5) Communicate securely
6) Minimize exposed attack surfaces
7) Ensure software integrity
😎 Ensure that personal data is protected
9) Make systems resilient to outages
10) Monitor system telemetry data
11) Make it easy for consumers to delete personal data
12) Make installation and maintenance of devices easy
13) Validate input data.

These effectively became the provisions in ETSI EN 303 645.

In the category of standards, ETSI EN 303 645 has become the focus of and foundation for many government actions. This is a great example of governments using a standard as the underlying structure for legislation or certification. While the standard itself is neutral—it is neither voluntary nor mandatory—policymakers can leverage the standard as the basis of a certification or legislation. ETSI EN 303 645 was developed with industry, academics, testing institutes, and government bodies, and is “designed to prevent large-scale, prevalent attacks against smart devices.”[1] Those devices are defined as such as connected children’s toys, door locks, smart cameras, TVs, health trackers, or home appliances.[2] Based on the 13 provisions mentioned above from the UK Code of Practice for Consumer IoT Security, ETSI EN 303 645 extends further, with more outcome-focused technical details. To facilitate market adoption of the 13 provisions among institutions creating certification and labeling schemes, ETSI TS 103 701 was developed to provide more details and support regarding how to test products claiming to be compliant with ETSI EN 303 645. The test specifications of ETSI TS 103 701 include a conformance assessment methodology intended to support suppliers, implementers, user and testing organizations, as well as certification scheme owners.[3] From our perspective, it is fair to say that this has been the most significant action so far in terms of its adoption by manufacturers as well as testing organizations and government bodies. According to ETSI, the “standard has become a reference for securing IoT devices all over the world and is already used by several cybersecurity regulations.”[4] In addition, “fitness watches, home automation devices, smart hubs, and robot vacuum cleaners, dishwashers and more devices are already compliant with the ETSI standard.”[5]

Building on that, in the category of certification and label programs, Finland became the first European country to put in place a certification for smart devices based on ETSI EN 303 645. The Finnish Transport and Communications Agency Traficom launched a Cybersecurity Label back in November 2019 that can be used by manufacturers that meet the requirements of the standard and certification criteria.[6] The intended impact on the market is clear: the label, Traficom aims to raise consumer awareness of information security and the safe use of connected devices.”[7] The agency studied consumer behavior and found that one-in-two Finnish consumers are concerned about cybersecurity in their smart devices, and two in three found it important to have information available that could affect their buying decisions.[8] If enough manufacturers decide to implement the label, that might . We can’t make any specific predictions, but expect more countries (inside and outside the EU) to follow suit, as Singapore did with their Cybersecurity Labelling Scheme (CLS).

In the category of mandatory requirements and legislation, the European Commission adopted a delegated act to the Radio Equipment Directive (RED) from 2014 that “aims to make sure that all wireless devices are safe before being sold on the EU market.”[9] It “lays down new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of [affected products].”[10] At a high level, there are measures intended to 1) improve network resilience, 2) better protect consumers’ privacy, and 3) reduce the risk of monetary fraud. In the context of this blog post, designers and manufacturers of IoT devices in scope “will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.”[11] Manufacturers will have 30 months to make sure products in scope will be compliant (that are placed on the market once it becomes applicable), which would fall into mid-2024. Essentially all devices that are able to wirelessly communicate with the Internet, with some exceptions like certain medical and aircraft equipment, will have to comply with the regulation when placing their products on the EU market.[12] The exact technical requirements compared to the level of detail in ETSI EN 303 645 are not clear yet, but the European Commission will support manufacturers by asking the standard-setting organizations to develop the applicable standards. Given the requirements apply to all devices that connect to the Internet (with some exceptions), this regulation effectively covers more than just consumer devices, contrary to the government actions described earlier in this blog post. IoT solution designers, manufacturers, and operators will all have to closely monitor future developments in this space to make sure their products are compliant by mid-2024.

What to expect going forward

Writing this blog post-mid-2024 instead of today will almost certainly look different. Europe will continue to assess and iterate what their policymakers believe will be necessary to ensure all connected devices are secure to the degree they deem necessary. While we can’t predict the future, there are certain developments to look for.

In the UK, the Product Security and Telecommunications Infrastructure Bill aims to build on their Consumer Code of Practice and ETSI EN 303 645 by potentially making three of their requirements mandatory for consumer IoT devices sold in the UK. The bill would grant the Secretary of State for Digital, Culture, Media and Sport the power to define minimum requirements and ensure they’re complied with. Initially the requirements would be 1) banning universal default passwords, 2) informing customers about the minimum timeframe for products to receive security updates, and 3) manufacturers have a process to allow the reporting of security bugs.[13] As of the publication of this blog post, the bill is still moving through the legislative process. The most recent information and details can be found here on the UK Parliament’s website.

In addition to the Radio Equipment Directive mentioned above, the EU has also provided the EU Agency for cybersecurity (ENISA) with a mandate to define schemes in a cybersecurity certification framework for products and services that potentially include IoT devices. Under the umbrella of the EU Cybersecurity Act, ENISA will be “setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes.”[14] As of today there is no scheme for IoT devices, but this might change in the future.

Finally, we might also see more guidance or regulatory measures for verticals that go beyond consumer devices. Industrial and critical infrastructure, however their exact scope might be defined, are potential device categories that will see similar actions. Given the potential consequences of security incidents in those areas, requirements are likely to expand beyond what we’ve seen in the consumer. The European Commission also recently closed a public consultation on the Cyber Resilience Act, which “aims to address market needs and protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services”.[15] The act is still going through the Commission’s process at the time of writing, but should definitely be monitored due to its potential impact on both devices and associated services.

Standards and the responsibilities to meet them in most cases don’t perfectly map to one supplier. For example, when evaluating the question, “Is IoT solution X compliant with government action Y?” the answer is rarely a straightforward “yes,” but more often “Yes, depending on how Z is implemented.” And to make it even more complicated, “Z” can sometimes fall into the responsibilities of more than one stakeholder. From the perspective of any IoT solution designer, builder, operator, and even buyer, clarifying responsibility for compliance as early as possible in the evaluative process is crucial to avoid costly surprises. It usually is a team sport and not an out-of-the-box experience.

Finally, we want to stress again that meeting guidelines, standards, certifications, and labels, as well as regulations, is important to many customers. Rather, they should be one factor of many used to assess the desired security posture—which can differ based on use cases and risk tolerance, but security is always a journey and never a destination.

Survey: Tell us more about your perspective on European government actions!

At Azure Sphere, our goal is to always listen to our customers’ needs and learn how we can address them. If you would like to speak to our team about this topic and our solution, feel free to contact us at azuresphereresearch@microsoft.com.

[1] ETSI - ETSI releases test specification to comply with world-leading Consumer IoT Security standard

[2] ETSI - ETSI releases test specification to comply with world-leading Consumer IoT Security standard

[3] TS 103 701 - V1.1.1 - CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements (etsi.org)

[4] ETSI - ETSI releases test specification to comply with world-leading Consumer IoT Security standard

[5] ETSI - ETSI releases test specification to comply with world-leading Consumer IoT Security standard

[6] Finland becomes the first European country to certify safe smart devices – new Cybersecurity label helps consumers buy safer products | Traficom

[7] Finland becomes the first European country to certify safe smart devices – new Cybersecurity label helps consumers buy safer products | Traficom

[8] Finland becomes the first European country to certify safe smart devices – new Cybersecurity label helps consumers buy safer products | Traficom

[9] Commission strengthens cybersecurity of wireless devices (europa.eu)

[10] Commission strengthens cybersecurity of wireless devices (europa.eu)

[11] Commission strengthens cybersecurity of wireless devices (europa.eu)

[12] EU sets new cybersecurity rules for wireless 'internet of things' (euobserver.com)