Expert Opinions

What are the regulations concerning IoT?

3 October 2024
Tweet
Share
Share
From vehicles to watches, and from lighting to trash cans and even clothing, connected products are now ubiquitous in our daily lives. With the rise of the Internet of Things (IoT), more and more devices are placing large amounts of data in the cloud. The rise of cybercrime has become a major issue for manufacturers, who must ensure the security of both the devices and the data collected. Within the European Union, two new regulations concerning IoT are highly anticipated in 2024: the CRA and NIS 2. What does the law foresee to enhance the security of IoT devices and data protection? Let’s take a look.

The European Cyber Resilience Act (CRA)

In March 2024, the European Parliament approved the Cyber Resilience Act (CRA). This regulation aims to protect consumers and businesses using connected products and applications that process data remotely. It imposes cybersecurity obligations on manufacturers and retailers that must be applied throughout the entire product lifecycle.

This law specifically requires:

  • More “security by design”: manufacturers must consider security standards from the very design of the product. No security vulnerabilities should exist at the time of delivery.
  • Rigorous technical documentation assessing cyber risks.
  • Regular product updates to fix potential vulnerabilities.

Since the CRA still requires validation by the European Council, the timeline for its implementation is not yet known. However, it is expected to be adopted within the year. Upon its application, the affected stakeholders will have 36 months (3 years) to adapt to the new obligations.

The supervisory authorities of each member state will be required to impose fines on companies that do not meet certification standards and to prohibit the marketing of non-compliant devices.

The NIS 2 Directive

The NIS 2 (Network and Information Security) Directive expands the scope of the original 2016 NIS Directive. It now covers 35 sectors, up from 19, including digital service providers, public administrations, transportation, healthcare, and banking. This affects a wide range of industries, from large corporations in the CAC40 to mid-sized enterprises (ETIs). But that’s not all: it also introduces new requirements to strengthen cybersecurity within the EU.

Here are some examples:

  • Holding Management Accountable for Cyber Incidents

The CEO and the executive committee must be designated as responsible for cybersecurity within the company. Several sanctions are planned for certain industries (essential entities), such as banning executives from practicing.

  • Quickly Reporting Cybersecurity Incidents

Companies are required to notify the relevant national authority (in France, this is ANSSI) within 72 hours of the incident. Clear processes and technical means must be in place to neutralize the threat as quickly as possible. They must also undergo security audits.

Several articles of the directive mandate strengthening the control of users who have access to connected objects (Zero Trust strategy) and encourage companies to plan for regular software updates. Each European Union country must transpose this directive by October 2024 at the latest.

 

The Cybersecurity Act

This act strengthens the power of the European Union Agency for Cybersecurity (ENISA) and introduces a new cybersecurity certification:

  •    Enhanced cooperation

Given that cyberattacks are now a major concern for European defense, it was necessary to harmonize defense mechanisms to ensure a common response from the 27 member states. National agencies, now playing only a consultative role, are coordinated under the guidance of ENISA.

  •   A single cybersecurity certificate

The various national cybersecurity certificates are consolidated into a single European certificate. This certificate is issued by the national agencies of each country and is mutually recognized within the member states. On January 31, 2024, the first cybersecurity certification scheme, the EUCC, was adopted. The objective is to harmonize evaluation methods and procedures for certifying products and software.

Also read: IoT Security: What Are the Stakes for Businesses? (objenious.com)

 

GDPR, the general data protection regulation

The GDPR is the world’s strictest legislation on privacy protection. Adopted in 2018, it makes the security of IoT a major issue and outlines users’ rights regarding their data: modification, access, right to be forgotten, portability, etc. To encourage companies to design connected devices differently, it imposes the concept of “privacy by design”: the protection of personal data must be considered from the very design phase of the product. The goal: to restore consumer trust in connected devices.

With the GDPR, manufacturers are required to implement security measures to ensure the confidentiality, authenticity, and integrity of data. This includes device-to-device authentication mechanisms and encryption of data exchanges. An important point: subcontractors must also comply with the GDPR.

 

Did you know ?

The United Kingdom was the first country to impose cybersecurity standards for IoT devices. In April 2024, the Product Security and Telecommunications Infrastructure (PSTI) Act came into force. It requires companies to integrate security protections into any product with an internet connection. Default passwords such as “1234” and “admin” are thus prohibited.

Objenious, your partner in realizing your IoT projects

Are you a manufacturer of connected objects? At Objenious, a Bouygues Telecom brand dedicated to IoT, we offer tailored support. We provide both LTE-M and NB-IoT and have been covering over 99% of the French population since the end of 2022. We are also present in more than 126 countries! The result: guaranteed performance for your connected objects, even in rural areas. Contact our experts to be guided in your technological choice and discover our digital offers.