CYBERSECURITY FOR CONNECTED PRODUCTS – ANEC and BEUC Position Paper

Why it matters to consumers

Consumers are increasingly using connected devices in their daily lives. Already today, Europeans can remotely switch on the lights in their house, turn on their washing machine or open their door lock with their smartphone. This ongoing digitalisation requires that consumers’ devices are protected against cyberattacks. While the number of connected products is rising, many of these products are manufactured without basic security features embedded in their system. This lack of security eventually increases the risk that consumers become victims of a malicious cyberattack and will distrust the Internet of Things. Thus, a EU policy response to reduce cybersecurity risks is urgently needed.

Summary
Today, most of the connected devices available in the EU’s Single Market are designed and manufactured without the most basic security features embedded in their software. In order to trust the Internet of Things, consumers must be assured that the connected products they purchase or services they use are secure and protected from software and hardware vulnerabilities. For this to happen security by design and by default must become a priority.

To this end, ANEC and BEUC would like to suggest some elements to improve the current regulatory framework as well as the European Commission’s proposal for a Cybersecurity Act:

• A minimum set of security measures should be obligatory for all connected products as a condition for putting them on the market. These requirements should include at least encryption, software updates and strong authentication methods.
• The General Product Safety Directive as well as product specific safety legislation (Toy Safety Directive, Low Voltage Directive, Radio Equipment Directive, etc.) must be updated to ensure that they are in line with the new ‘security for safety’ concept of the general legal framework.
• ANEC and BEUC call on the European Commission to swiftly adopt a delegated act clarifying which products would fall under the ‘privacy requirement’ foreseen in Article 3 (3) of the Radio Equipment Directive. Connected products for consumers should be included within this category.
• For high-risk-affected connected products (e.g. self-driving cars, products for children, smart home and security products, smart cities systems, medical devices), the application of minimum security requirements should be complemented with mandatory cybersecurity certification.
• National authorities should be able to withdraw products from the market that do not comply with legal security requirements and/or certification schemes.

The complete position paper is available here.