EU Cybersecurity Act Could Impact Cross-Border Data Flows

Consumers are expecting more from products they have used for decades, seeking additional control over devices ranging from refrigerators to cars to fire alarms. The Internet of Things (“IoT”), which involves the inclusion of limited data processing and software functionality in everyday devices connected to the Internet, has allowed people to set their refrigerator temperature remotely from their phone and monitor their car from afar.

But the limited nature of IoT devices means that they have been notoriously vulnerable to cyber-attack.  The European Union believes that regulating IoT devices can solve this problem.  Other countries, the US among them, are sceptical about the utility of regulation in this fast-moving industry.

The EU Cybersecurity Act

The EU plans to exert pressure on IoT device manufacturers through the EU Cybersecurity Act, which, as currently constructed, would create a single certification scheme for information communications technology (“ICT”) devices.

On June 8, the Council of the EA agreed on its position for the proposal, which allows for future deliberation within the European Parliament.  If the Council and the Parliament agree, the Act will become law.

The stated goal for the Act is to build consumer trust in IoT products while continuing construction of a single EU digital marketplace.  The second goal is difficult given that many individual EU member states already have their own cybersecurity certification rules.

The push for certification also goes hand in hand with the EU’s Network Infrastructure Security Directive (“NISD”), which went into effect in May 2018 and is designed to protect important sectors such as banking, energy and technology from cyber-attacks.

NISD includes standards to prevent data breaches and quickly and efficiently confront problems as they occur.  It also calls for penalties set by each EU member state for companies that either lack sufficient security protections or fail to notify authorities of breaches.

The Act would also increase the authority of the EU Agency for Network and Information Security (“ENISA”) and make it a permanent EU-wide cybersecurity agency.  Currently, ENISA serves as a body of experts voluntarily consulted on cybersecurity matters.

But the Act would grant ENISA powers to support both member states and EU institutions on all cybersecurity issues and to conduct cybersecurity exercises.  ENISA would also be responsible for carrying out certifications of IoT products.  

Under the Act as currently proposed, certifying products would be a voluntary exercise for companies unless otherwise stated in EU or specific member state law.

Under the Act, the European cybersecurity certification would: “attest that the ICT processes, products and services that have been evaluated in accordance with [the European cybersecurity certification framework] comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those protects, processes and services throughout their life cycle.”

While the certification process has the laudable goal of increasing security for IoT devices, details are scarce on exactly what standards will be applied.  The preliminary Act already details different levels of certification, ranging from “basic” to “substantial” to “high.”

But it remains unclear what standards whether different standards will be used for different kinds of devices.  In other words, will cars be held to the same standard as refrigerators?  

More importantly, the Act does not explain how the certification will be renewed or checked throughout the “life cycle” of the IoT device, as set forth in Article 43.  Would remote security updates be sufficient, or will verified security audits be necessary for continued certification?  

More than likely, the vague nature of the security specifications within the proposed Act is intentional, as the rapid nature of the development of ICT and IoT devices means that specific security requirements would become obsolete almost overnight.  But clear standards will be necessary before the Act becomes law.

Legal Questions

From a broader perspective, the Act raises two key legal questions.  First, if the Act creates a new standard of safety for ICT and IoT devices, who will be held liable when a data breach occurs through a certified device?  Second, how will the Act and the certification process impact cross-border data transfers between EU and non-EU countries?

Shield for Liability?

Currently, if a consumer in the EU has his or her personal data stolen through an ICT or IoT device, that consumer will pursue a remedy against the manufacturer of the device.  But what if the Act passes and the device in question is certified as complying with the EU’s security requirements?  Could the consumer hold the EU liable for a breach?

Nothing in the Act suggests that certification would shield an ICT or IoT manufacturer from liability for a data breach.  

However, given that lawsuits and complaints about events leading to data breaches often turn on whether the manufacturer acted reasonably in protecting the data at issue, certification under the Act would appear to be a key fact in that analysis.  

In addition, companies certifying their products under the Act would be working closely with ENISA, a body that could also be involved in the investigation of the data breach.  Facts relating to a company’s cooperation with ENISA and other EU agencies in investigating and halting a breach could be used to show that the company acted reasonably and responsibly.

The danger to the EU would arrive through the labelling of products as “certified” to create a sense that they are secure and absolutely safe.  While the Act makes clear that nothing can guarantee 100 per cent security, consumers may be drawn to certified products based on their belief that the information processed through such products is protected.  

If a breach occurs within or through a certified product, consumers may challenge the sufficiency of the Act, the standards for certification, or the processes through which ENISA ensures that the products meet the standards.

Cross-Border Issues

Another issue arises when one considers the origin and portability of so many ICT and IoT devices.  Any time a US-manufactured IoT device sends data from the EU to the US, regulatory issues must be navigated.  The EU General Data Protection Regulation (“GDPR”) and NISD both regulate such cross-border transfers, but it is unclear at this point how the proposed Act will incorporate the principles of these regulations.

The United States is urging caution when it comes to regulating ICT and IoT devices.  In a letter written by the US Chamber of Commerce (among others) and addressed to the European Commission on the proposed Act, the US implored the EU to avoid unnecessary regulation, eschew a one-size-fits-all approach to certification, and prevent creating a false sense of security through labelling certain products as “certified.”  

The US is pushing for policies based on “existing global, voluntary, consensus, and industry-driven standards” for cybersecurity as opposed to a black-and-white certification process.

If the Act passes and certification becomes a necessity to effectuate profitable sales of ICT and IoT devices in Europe, U.S manufacturers of such products may need to navigate the GDPR, the NISD, and the Act in concert.  

As the US Chamber of Commerce seems to recognise, this could be costly.  In any event, all companies involved in the ICT and IoT industry should follow closely the finalisation of the Act in the EU Council and Parliament.

ITProPortal:

You Might Also Read: 

Get Ready For ePrivacy Regulation:

What Does The EU Cybersecurity Vote Mean To You?:

 

« Hackers Paid Big Money To Improve Cybersecurity
Crypto-Mining Hits 42% Of Organisations Worlwide »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Kaseya

Kaseya

Kaseya Traverse enables you to get to the bottom of problems quickly via root cause analysis, across Cloud, on-premise, hybrid Cloud, virtualized and distributed IT environments.

Australian Cyber Security Centre (ACSC)

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together into a single location.

Introspective Networks

Introspective Networks

Introspective Networks (IN) is a Cybersecurity company focusing on securing data in the network and automating knowledge work to decrease vulnerability points to critical infrastructure.

MonsterCloud

MonsterCloud

MonsterCloud is a leader in managed cyber security services. Our cyber security team constantly monitors and protects businesses from cyber threats.

Reason Cybersecurity

Reason Cybersecurity

Reason Cybersecurity is a powerful cloud-based security software that detects, blocks and destroys malware, adware and PUPs in real-time.

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS) is a non-profit organization dedicated to the recruitment, retention and advancement of women in the cybersecurity field.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Augmenta Cyber Security

Augmenta Cyber Security

Augmenta is a value driven preferred partner in assisting customers with complete cyber security solutions.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

META-Cyber

META-Cyber

META-cyber was founded by engineers with experience in process and control-protection to provide cyber security for industrial infrastructure.

MyCISO

MyCISO

MyCISO is the World’s first SaaS application that will vastly simplify security management for all.

Cymune

Cymune

At Cymune we help businesses to fight against cybercrime, protect patented data and diminish security risks.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.