ENISA and Semiconductor Companies Seek Cybersecurity Standards from European Commission

Morgan Lewis

Morgan Lewis

The European Union Agency for Network and Information Security (ENISA), along with three semiconductor companies, recently released a position paper proposing a position for the European Commission (EC) on security and privacy standards as they relate to Internet of Things (IoT) devices. ENISA is an agency established by the European Union to assist the EC, its member states, and businesses in addressing, responding to, and preventing cybersecurity issues. The paper points out that as IoT devices expand into all aspects of everyday life, including critical infrastructure and health systems, cyberattacks are becoming more threatening and more risky. The paper includes four key recommendations.

First, the EC should define a framework to ensure minimal security requirements for connected devices. This framework should include a baseline security certification addressing IoT devices, commercial off-the-shelf (COTS) products and services, and products with short life cycles. The framework should also include a European trust label for connected devices that clearly indicates to consumers that the products meet established security guidelines.

Second, the EC should ensure that reliable processes and services are being developed and implemented by IoT manufacturers. The EC should promote awareness of existing security features such as encryption and strong authentication, and support the continued study of and improvement upon such existing security features.

Third, the EC should encourage the development of minimal requirements and common principles that should also be considered in future revisions of existing legislation and new legislative initiatives. In developing these requirements and principles, commonalities should be used across various sectors of the economy (e.g., healthcare, energy, transportation) to minimize the amount of standards for similar certifications. The requirements and principles should also take into account safety where human lives would be endangered by cyberattacks (e.g., cyberattacks in the automotive or healthcare sectors).

Lastly, the EC should strive to create a level playing field, which could include a “Digital Security Bonus” as a reward for implementing good security practices, as well as an enforceable set of penalties for dealing with vendors that abuse established practices or deliver counterfeit products.

Whether the EC adopts any portion of the proposal remains to be seen. In a post last fall, we noted there was growing concern by members of US Congress over regulation of IoT devices. In the United States, both the Federal Trade Commission and the Department of Homeland Security have issued guidance to IoT manufacturers, but compliance with such guidance is voluntary. We will provide updates on this topic as new information becomes available.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.