EU Cybersecurity Act Could Impact Cross-Border Data Flows

Uploaded on 2018-08-08 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

Consumers are expecting more from products they have used for decades, seeking additional control over devices ranging from refrigerators to cars to fire alarms. The Internet of Things (“IoT”), which involves the inclusion of limited data processing and software functionality in everyday devices connected to the Internet, has allowed people to set their refrigerator temperature remotely from their phone and monitor their car from afar.

But the limited nature of IoT devices means that they have been notoriously vulnerable to cyber-attack.  The European Union believes that regulating IoT devices can solve this problem.  Other countries, the US among them, are sceptical about the utility of regulation in this fast-moving industry.

The EU Cybersecurity Act

The EU plans to exert pressure on IoT device manufacturers through the EU Cybersecurity Act, which, as currently constructed, would create a single certification scheme for information communications technology (“ICT”) devices.

On June 8, the Council of the EA agreed on its position for the proposal, which allows for future deliberation within the European Parliament.  If the Council and the Parliament agree, the Act will become law.

The stated goal for the Act is to build consumer trust in IoT products while continuing construction of a single EU digital marketplace.  The second goal is difficult given that many individual EU member states already have their own cybersecurity certification rules.

The push for certification also goes hand in hand with the EU’s Network Infrastructure Security Directive (“NISD”), which went into effect in May 2018 and is designed to protect important sectors such as banking, energy and technology from cyber-attacks.

NISD includes standards to prevent data breaches and quickly and efficiently confront problems as they occur.  It also calls for penalties set by each EU member state for companies that either lack sufficient security protections or fail to notify authorities of breaches.

The Act would also increase the authority of the EU Agency for Network and Information Security (“ENISA”) and make it a permanent EU-wide cybersecurity agency.  Currently, ENISA serves as a body of experts voluntarily consulted on cybersecurity matters.

But the Act would grant ENISA powers to support both member states and EU institutions on all cybersecurity issues and to conduct cybersecurity exercises.  ENISA would also be responsible for carrying out certifications of IoT products.  

Under the Act as currently proposed, certifying products would be a voluntary exercise for companies unless otherwise stated in EU or specific member state law.

Under the Act, the European cybersecurity certification would: “attest that the ICT processes, products and services that have been evaluated in accordance with [the European cybersecurity certification framework] comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those protects, processes and services throughout their life cycle.”

While the certification process has the laudable goal of increasing security for IoT devices, details are scarce on exactly what standards will be applied.  The preliminary Act already details different levels of certification, ranging from “basic” to “substantial” to “high.”

But it remains unclear what standards whether different standards will be used for different kinds of devices.  In other words, will cars be held to the same standard as refrigerators?  

More importantly, the Act does not explain how the certification will be renewed or checked throughout the “life cycle” of the IoT device, as set forth in Article 43.  Would remote security updates be sufficient, or will verified security audits be necessary for continued certification?  

More than likely, the vague nature of the security specifications within the proposed Act is intentional, as the rapid nature of the development of ICT and IoT devices means that specific security requirements would become obsolete almost overnight.  But clear standards will be necessary before the Act becomes law.

Legal Questions

From a broader perspective, the Act raises two key legal questions.  First, if the Act creates a new standard of safety for ICT and IoT devices, who will be held liable when a data breach occurs through a certified device?  Second, how will the Act and the certification process impact cross-border data transfers between EU and non-EU countries?

Shield for Liability?

Currently, if a consumer in the EU has his or her personal data stolen through an ICT or IoT device, that consumer will pursue a remedy against the manufacturer of the device.  But what if the Act passes and the device in question is certified as complying with the EU’s security requirements?  Could the consumer hold the EU liable for a breach?

Nothing in the Act suggests that certification would shield an ICT or IoT manufacturer from liability for a data breach.  

However, given that lawsuits and complaints about events leading to data breaches often turn on whether the manufacturer acted reasonably in protecting the data at issue, certification under the Act would appear to be a key fact in that analysis.  

In addition, companies certifying their products under the Act would be working closely with ENISA, a body that could also be involved in the investigation of the data breach.  Facts relating to a company’s cooperation with ENISA and other EU agencies in investigating and halting a breach could be used to show that the company acted reasonably and responsibly.

The danger to the EU would arrive through the labelling of products as “certified” to create a sense that they are secure and absolutely safe.  While the Act makes clear that nothing can guarantee 100 per cent security, consumers may be drawn to certified products based on their belief that the information processed through such products is protected.  

If a breach occurs within or through a certified product, consumers may challenge the sufficiency of the Act, the standards for certification, or the processes through which ENISA ensures that the products meet the standards.

Cross-Border Issues

Another issue arises when one considers the origin and portability of so many ICT and IoT devices.  Any time a US-manufactured IoT device sends data from the EU to the US, regulatory issues must be navigated.  The EU General Data Protection Regulation (“GDPR”) and NISD both regulate such cross-border transfers, but it is unclear at this point how the proposed Act will incorporate the principles of these regulations.

The United States is urging caution when it comes to regulating ICT and IoT devices.  In a letter written by the US Chamber of Commerce (among others) and addressed to the European Commission on the proposed Act, the US implored the EU to avoid unnecessary regulation, eschew a one-size-fits-all approach to certification, and prevent creating a false sense of security through labelling certain products as “certified.”  

The US is pushing for policies based on “existing global, voluntary, consensus, and industry-driven standards” for cybersecurity as opposed to a black-and-white certification process.

If the Act passes and certification becomes a necessity to effectuate profitable sales of ICT and IoT devices in Europe, U.S manufacturers of such products may need to navigate the GDPR, the NISD, and the Act in concert.  

As the US Chamber of Commerce seems to recognise, this could be costly.  In any event, all companies involved in the ICT and IoT industry should follow closely the finalisation of the Act in the EU Council and Parliament.

ITProPortal:

You Might Also Read: 

Get Ready For ePrivacy Regulation:

What Does The EU Cybersecurity Vote Mean To You?:

 

« Hackers Paid Big Money To Improve Cybersecurity
Crypto-Mining Hits 42% Of Organisations Worlwide »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

National Security Agency (NSA)

National Security Agency (NSA)

NSA is a US intel agency responsible for the protection of government communications and information systems against penetration and network warfare.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

Guy Carpenter

Guy Carpenter

Guy Carpenter delivers a powerful combination of broking expertise, strategic advisory services, and industry-leading analytics.

Black Kite

Black Kite

Black Kite (formerly NormShield) provides comprehensive Security-as-a-Service solutions focused on cyber threat intelligence, vulnerability management and continuous perimeter monitoring.

Red Balloon Security (RBS)

Red Balloon Security (RBS)

Red Balloon Security is a leading embedded device security company, delivering deep host-based defense for all devices.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

OneTrust

OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management.

Sponge

Sponge

Cybersecurity Sorted by Sponge is a seriously engaging training game to make your staff the first line of defence against cyber threats.

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

The Cyber AB

The Cyber AB

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem.

Mitnick Security

Mitnick Security

Mitnick Security is a leading global provider of information security consulting and training services.

Willyama Services

Willyama Services

Willyama Services is a certified Information Technology and Cybersecurity professional services business providing services to government and private sector clients.