Europe’s cyber resilience act will rewrite the rules for connected devices on the continent. As I wrote recently for Security Boulevard, the draft legislation wants mandatory cybersecurity standards for connected devices and requires products to stay up-to-date throughout their lifespan. It’s a world first that will protect consumers and force companies up to code.
Of course, the act is still up for debate, but it’s inching closer toward passage with each month. In July, European member states reached a common position on the proposed legislation. Now, negotiations in the parliament are underway on the final version.
Ready or not, companies will soon need to adhere to the act and improve security in the internet of things (IoT). Doing so will take time, money and device redevelopment. Meanwhile, there are heavy fines for non-compliance. Let’s explore why device makers should start preparing now.
Cautionary Tales From GDPR
Once enacted, industry insiders expect a two-year grace period for companies to follow the regulation. In technology, this isn’t a big window, especially when dealing with sweeping changes to cybersecurity and functionality.
For example, Europe’s other big tech regulation – The General Data Protection Regulation (GDPR) – was debated and discussed for years and still caught many off guard. That regulation cast a similarly wide net, encompassing various data sources from customer databases to internal logs. As a result, companies needed to update their data storage and management methods. Prior to the GDPR’s enforcement, Veritas revealed that one-third of survey respondents felt apprehensive about their existing infrastructure and how it would effectively handle data under the new rules.
Complying with the GDPR entailed more than just filing reports – it mandated substantial investments in existing systems. The same report found that, on average, organizations were poised to spend €1.3 million toward regulation readiness initiatives. From system redesigns to costly updates, this should serve as a cautionary tale on the importance of early preparedness.
Smaller Devices, Bigger Challenges
Additionally, this regulation focuses on smaller embedded and connected devices, which often have limited processing power compared to traditional computers.
As such, incorporating the regulation’s security measures demands meticulous optimization and adaptation to these limited resources. This process therefore requires an extended development timeline and heightened investment to ensure that any redesign doesn’t compromise the device’s primary functions or consume excessive power.
The diversity of embedded devices within the IoT ecosystem compounds the challenge. Each device type usually counts its unique architecture, communication protocols, and software stacks, further complicating the task of implementing standardized security measures. This process entails in-depth analysis, customization and rigorous testing to ensure compliance while preserving functionality. Ultimately, this takes time.
The Stakes of Non-Compliance
As mentioned, two years to redevelop and redesign devices is not very long, and hefty penalties await those who don’t hit the deadline. Failure to comply will result in fines of up to €15 million or 2.5% of global turnover, whichever is highest.
Compliance is not just about fine avoidance. Rather, it positions businesses to seize leadership opportunities and foster future growth. Europe is one of the world’s biggest markets and staying in step with its regulations is a strategic investment. For connected device companies, proactive compliance safeguards your foothold with a vital consumer base.
My advice is to prepare as soon as possible. Europe already has a reputation for world-leading regulations that bolster privacy and cybersecurity. Now is the time to get a head start on the competition and finetune your solutions.
It’s more likely than not that we’ll see the passage of Europe’s cyber resilience act. The question is: Will you be ready?
Recent Articles By Author