The EU Cybersecurity Act: A Price worth Paying

With businesses and consumers in Europe facing ever-more sophisticated cyber threats, policy makers are scrambling to ensure there are adequate regulations to help protect them. A host of new rules should improve cybersecurity, but some industry groups warn these will add to costs and administrative burdens and may even spawn confusion and ambiguity.

The scale of Europe’s cyber security vulnerability is startling. In 2019 alone, there were almost 450 cybersecurity incidents involving European critical infrastructure, such as finance and energy companies, while healthcare organizations and professionals have been especially hard hit during the Covid-19 pandemic. Ransomware attacks are growing sharply globally with more than €10 billion paid out in 2019, a big leap from the previous year. Mariya Gabriel is European Commissioner for Innovation, Research, Culture, Education, Youth, and Sport. She has been ranked among the 50 most influential women in Europe in the field of cybersecurity. She believes that “Cyber threats have become a matter of national security. They underpin the resilience of critical infrastructure, from power plants to the banking system and online according to her studies, cybercrime will cost the world €5.5 trillion by the end of 2020, up from €2.7 trillion in 2015. “This rise is due, in part, to cybercrime activity during the Covid-19 pandemic,” she says. This could be the largest transfer of economic wealth in history and, if it happens, it will be more profitable than the global trade in all major illegal drugs combined.

Especially worrying, on the business front, is that European companies are considered less prepared to thwart a cyberattack than their counterparts in Asia and America. Over two-thirds of EU businesses, in particular SMEs, are considered novices when it comes to cybersecurity, according to a high-level summary by the European Commission (The EU’s Cybersecurity Strategy for the Digital Decade). Experts also point to a brain drain of cybersecurity professionals from Europe, especially to the United States.

Mariya Gabriel: The European Commissioner for Innovation and Research is considered one of the most influential women in the feld of cybersecurity. “Cyber threats have become a matter of national security,” she says. “They underpin the resilience of critical infrastructure, from power plants to the banking system and online marketplaces for small businesses.”

It was estimated that 291,000 job postings for cybersecurity positions within the EU remained unfilled in 2020. That matches the experience of Martin Giess, the CTO and cofounder of EMnify, a Germany company that offers cellular connectivity solutions to businesses ranging from logistics to industrial IoT. “[Companies in] Europe are quite a bit behind when it comes to cybersecurity,” says Giess. “In North America there is more willingness to adopt new functionality and implement it.”

Geiss says that typical weaknesses include companies buying off-the-shelf components and not updating default settings, or companies working in a “first or second-generation technology environment that is ten or 15 years old.” Companies that have experienced some kind of attack are far more willing to invest in IT security, he adds, while those that have not tend to be more complacent.

Security Is the First Cut

On the consumer front, people who worry about cybersecurity point to the massive profusion of connected devices in a market where price is often the main consideration, while many consumers lack even rudimentary knowledge about device security. That implies the onus should be on manufacturers to apply principles such as security by-design to their products. However, tests by consumer watchdogs have revealed major vulnerabilities in children’s dolls, smart watches, smart doorbells, and other intelligent home products, says Frederico Oliveira da Silva, senior legal officer at the European Consumer Organization (BEUC), an umbrella group representing the interests of national consumer groups. Risks include hackers being able to talk remotely to children, capture video, and, in the case of intercom doorbells, gain access to a property, as well as more general threats like exploiting IoT devices as part of a botnet attack.

The bonus should be on the manufacturers to apply security-by-design to their products.
_{Frederico Oliveira da Silva, European Consumer Organization (BEUC)}

An additional problem is a lack of EU wide legislation has meant that consumer protection agencies have by and large been unable or reluctant to remove insecure products from the market. In the case of a doll, My Friend Cayla, widely publicized security and privacy failings did not result in an EU ban, though in Germany authorities withdrew the device in 2017 over privacy concerns.

In 2018, the General Data Protection Regulation (GDPR) was introduced, which can be used to apply heavy penalties for data breaches, but these laws are typically not intended to be used to prevent the sale of cyber-insecure products, notes Da Silva.

Given the scale of the problem, it’s no surprise that cybersecurity is a key focus for legislators in Brussels, with the emphasis on a number of new and updated rules designed to bolster security in business environments and for consumer IoT. These include an update for the Network and Information Systems (NIS) Directive, the EU Cybersecurity Act (enacted in 2019, though elements came into force in 2021), and a delegated act of the Radio Equipment Directive (RED), which is expected to be introduced in 2021. Certain key technology areas – cloud, 5G, and artificial intelligence – are also receiving special attention.

NIS is not being applied in a uniform way all across the EU.
_{Cristina Cretu, Senior privacy and technology consultant at MPR Partners}

The result will be that those companies that have the least-developed cybersecurity profiles will have to work the hardest to meet baselines, while those with the right measures already in place are better positioned to comply. The downside is that increased security may result in higher costs across the supply chain. Giess at EMnify, which uses multinetwork IoT SIM cards to connect client assets to the cloud, believes the regulatory push is driving increased focus on cybersecurity within businesses. “It definitely creates pressure on companies, and we are seeing an increased interest in our products,” he says. “You can really perceive that cybersecurity is becoming a more important buying criterion for customers. It’s not only about the price and the quality of the service – it’s really that your products can fulfil certain security requirements.”

Navigating the Rules Maze

When it comes to cybersecurity, there is no single law in the EU but a mosaic of rules and regulations. The most prominent horizonal rule for cybersecurity is the NIS Directive, covering entities within sectors considered vital for the economy and society, such as energy, transport, water, banking, financial market infrastructures, health care, and digital services.

The NIS Directive is currently being overhauled. In part, this is necessary because analysis showed it was not being applied across the EU in a uniform way, creating discrepancies between the member states and affecting the internal market, says Cristina Cretu, a senior privacy and technology consultant at Romanian law firm MPR Partners. The Covid-19 pandemic has further reinforced the view that digital services are important pillars crucial to avoiding disruption by cyber incidents that can affect the proper functioning of the European Union, necessitating an expansion of activities that will fall under the directive, says Cretu.

Key changes likely to result from an NIS Directive reform (NIS 2) include expanded scope of sectors and services considered as either essential or important entities, including postal and courier services, food, digital services (such as social networking platforms), data center services, and manufacturing of certain critical products that include pharmaceuticals, medical devices, and chemicals.

There will also be more stringent supervision of companies, including administrative sanctions and fines for failures in cybersecurity risk management and reporting obligations. The establishment of a European cyber-liaison organization will coordinate management of large-scale cybersecurity incidents and crises through increased cooperation between EU countries.

Improved data-sharing is recognized as a key component of a coherent cybersecurity policy and will improve how authorities and businesses identify threats, says Alexander Szanto, cybersecurity research fellow at Brandenburg Institute for Society and Security (BIGS). “For example, if a systems supervisory control and data acquisition (Scada) infrastructure is attacked in Germany, the same system is likely implemented in thousands of factories across the world. This means that if one company has this vulnerability, everyone has it. That’s why information needs to be shared, so that everyone can implement [counter measures] at the same time,” he explains.

An Act of Commission

The EU Cybersecurity Act (CSA) straddles both business and consumer markets. At its heart, it aims to unify cybersecurity standards across Europe, allowing a company to obtain certification for an ICT product, service, or practice that will be recognized in any country in the bloc.

A key element is the certification framework, which relies on the development of assessments covering various areas. The first three elements to have been developed are for common criteria schemes, cloud, and 5G, with additional modules currently in development. It’s expected that consumer IoT will be dealt with soon, with the existing ETSI EN 303 645 standard potentially being a key specification for the Rolling Working Group to build upon.

This approach of developing schemes by reusing and updating existing standards as much as possible is official practice, says Philippe Blot, lead certification expert at the European Union Agency for Cybersecurity (ENISA), the agency tasked with responsibility for the CSA. The first set of schemes created will be more horizontal before the work moves on to vertical sectors like automotive or railways, he says.

If one company is vulnerable, everybody is.
_{Alexander Szanto, Cybersecurity research fellow at BIGS}

Certification can be obtained at three levels: basic, where a company can self-certify; substantial, where a certification is received from a private standards company (known as conformity assessment bodies, or CABs); and high, where certification must be obtained from a national cybersecurity certification authority in each member country.

Overall, the CSA will introduce a number of efficiencies. Having EU-wide certification will reduce fragmentation of certification, like the different schemes currently operating in member states such as France, Germany, and the Netherlands (which currently carry out the highest number of certifications within the EU).

This will simplify things for businesses that offer cross-border ICT products and help companies make more informed decisions about the security of their suppliers and supply chains more generally, feeding into cybersecurity universally. For example, in the case of entities covered by the NIS Directive, sourcing products certified under the CSA will help give greater assurance as to the security of their overall network.

The introduction of CABs to handle “substantial”-level certifications will reduce the time spent by national organizations in covering such activities, leaving them more time to concentrate on the “high”-level certifications, says Blot.

Despite CSA certification being voluntary (this will be reviewed in 2023), previous experience suggests that certification will become more common as organizations begin to use it to screen their suppliers, meaning that vendors will see a competitive advantage in being certified, believes Blot. “The maturity of cybersecurity requirements is still growing. For the first companies that get a cybersecurity certificate, even if it is not mandatory, it will be a differentiator in terms of their offering and more companies will follow. It’s a trend seen in other areas [of the cybersecurity industry].”

At the basic assurance level – which will cover consumer IoT – companies can self-certify, which is bound to limit its overall impact in terms of connected devices sold to consumers.

“The Cybersecurity Act is part of the solution but it’s well recognized that it’s only one piece of the jigsaw and, indeed, not the main solution,” says Rod Freeman, an international products lawyer at US law firm Cooley. “The Cybersecurity Act is important in providing a framework for standards and for certification but, on its own, that doesn’t really address the nub of the problem.”

Adoption and Adaptation

Freeman believes that the ultimate goal is likely to be a new piece of horizontal legislation developed under the new legislative framework (NLF), a package of measures that aims to improve market surveillance and boost the quality of conformity assessments. This has been announced by the European Commission, though its eventual implementation is likely to be more than five years away.

Apart from the introduction of a new law, the NLF framework itself will need to be adapted to address the entire life cycle of a device, including security updates, vulnerability handling, and disclosure, because it currently only governs products at the time of sale.

Given the extended timeline for a new law, there has been considerable pressure on policy makers to act sooner on consumer IoT. This has been driven by the member states, including the adoption of a resolution in late 2020 by the European Council. Inaction by Brussels could push individual countries to bring into force national-level legislation, fragmenting the common market.

We really think this could be an added-value globally – but we need to do it right.
_{Christoph Luykx, policy director at Orgalim}

That calculation has resulted in a move to use a delegated act from RED to activate provisions that require manufacturers of wireless devices to fulfill cybersecurity requirements by protecting consumers from fraud and ensuring their privacy. Such a move is acknowledged to have numerous shortcomings. For a start, it will cover only Internet-connected radio equipment and wearable radio equipment (estimated at around 75 percent of the connected-device market) and will not cover connected products that only use wires. In addition to excluding non-radio components (including processors), it won’t cover the life cycle of the product (patches) or require disclosure of vulnerabilities.

Despite its shortcomings, the RED delegated act is seen as the fastest way to introduce a cybersecurity law in the short term, rather than having to wait for the development of a new horizonal law. Industry groups have identified these ambiguities in what is to be covered but they also worry that the regulations will introduce a mandatory set of standards and requirements, only for these to be superseded by a new law.

“We are completely supportive of mandatory baseline requirements under horizontal legislation, or of a certification scheme [like the CSA] which is voluntary and is more of a market-driven mechanism,” said Alberto Di Felice, director for infrastructure, privacy and security at Digital Europe. “What we’re seeing on the other end of the spectrum is the RED delegated act. We are far more skeptical about activating that instrument to target cybersecurity. The potential for overlaps and inconsistencies is huge.”

An important question is whether the delegated act will have coherence with the new horizontal law, which the European Commission has indicated is its intention. Da Silva believes that the rules put in place by the RED delegated act will match up new rules at the horizontal level that are coming, though overall the new horizontal law will be much broader in scope.

Overall, there is recognition among industry groups of the need for comprehensive regulation governing cybersecurity – and even its inevitability, given that the alternative would be a high degree of fragmentation – but the hope is to avoid contradictory or unworkable rules and develop these within the NLF, where there is input from industry.

Orgalim, a federation of European technology industry bodies, has called for horizontal legislation under the NLF. Christoph Luykx, its policy director, says that seeing such a request coming from industry may be surprising to a lot of people. “But it is precisely because we see a risk of fragmentation, the increased cost to produce and manufacture products, the confusion for the manufacturers and consumers, that is why we put forward a proposal for horizontal legislation,” he explains.

Coherent cybersecurity rules for the European marketplace can ultimately help companies gain an advantage by allowing them to prove their credentials, both at home and abroad, believes Luykx. “If we get this right, and we are coordinated, and the cost and the bureaucracy of this is manageable, [manufacturers] can take cybersecurity into account from the development of a product to its rollout and during its lifetime. So, we really think this could be an added-value globally – but we need to do it right and there is still a lot of work to do.

READ MORE ARTICLES