What Businesses Need to Know About the EU IoT Bill

The Cyber Resilience Act is a world first. Europe’s proposed legislation will set minimum cybersecurity standards for connected devices and require products to stay up-to-date throughout their lifespan. 

The bill will be a major win for consumers and their cybersecurity posture. However, implementing the changes will require action from hardware and software producers. And those not up to code will face stiff penalties. Let’s explore the legislation and what businesses should do next.

What is the Resilience Act?

The Cyber Resilience Act is proposed legislation to protect consumers and businesses from insecure connected devices. This legislation requires mandatory cybersecurity measures for “products with digital elements.” This legislation goes far beyond cybersecurity standards created by not-for-profits–like ETSI– and the act will be enforced across Europe.

The proposal includes four main objectives: 

• To improve the security of digital products, 
• To create a cohesive cybersecurity framework for hardware and software producers,
• To bring transparency to security features and
• To protect businesses and consumers. 

The act strikes a balance between these objectives by mandating an appropriate level of cybersecurity, prohibiting the sale of products with known vulnerabilities, protecting against unauthorized access, limiting attack surfaces and minimizing the impact of incidents. 

If passed, manufacturers will be required to perform regular vulnerability tests. Meanwhile, European member states will play a role in ensuring compliance through market surveillance bodies.

But Not Everyone’s Happy

The act is not without criticism. Last month, more than a dozen open source organizations penned a letter urging the European Commission to reexamine the act. Chiefly, the group believes the proposal in its current form could have a “chilling effect” on the development of open source software. Signatories–which included the Eclipse Foundation, Linux Foundation Europe and the Open Source Initiative–argued that the act “poses an unnecessary economic and technological risk to the EU.”

A significant proportion of the software used in European digital products is open source. However, the group claimed that communication between the community and co-legislators has been lacking. The letter went on to say that regulating more than 70% of the continent’s software without adequate consultation would be a mistake. Therefore, the group concluded, ongoing discussions require improved dialogue to ensure the act does not unfairly restrict open source development going forward.

It’s worth noting that the draft legislation does mention the open source market, stating, “In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this regulation.”

What Businesses Should Do Now

The impact of this letter remains to be seen. Businesses, however, don’t have the luxury of waiting to find out. Industry experts believe the act will be approved and enforced within two years. And for connected device providers and software creators, penalties for non-compliance may include fines of up to €15 million or 2.5% of global turnover.

The best advice for affected businesses is to prepare for these changes immediately. Understand the legislation, seek legal and technological counsel and review your cybersecurity processes. Then, if there are changes to make–and there likely will be–give yourself enough time to troubleshoot.

Keep in mind that tech has seen something like this before. The General Data Protection Regulation (GDPR) in 2016 heralded sweeping changes to how companies store consumer data. And, just like this incoming act, it required considerable investment to get up to code. For example, the average firm spent more than €1.3m on GDPR readiness initiatives.

Looking ahead, two years is not a long time in device and software development. And any changes are likely to require investment and innovation. Therefore, European businesses should get started today to be cybersecurity-ready tomorrow.