EU Members States call for an IoT certification scheme

On 2 December, the Council of the EU adopted conclusions on the cybersecurity of connected devices. This document is not a binding text, but it calls on the European Commission to take actions on this topic. Among other things, the Member States call on the Commission to consider a request for the preparation of a candidate scheme for connected devices. The conclusions also mention ETSI EN 303 645 standard on cybersecurity for consumer IoT, described as an “important step” to improve security in the Digital Single Market.

Please find below the link to the document and a briefing on the key points.

Cybersecurity by design

The Member States underline that cybersecurity and privacy are essential requirements in product innovation, the production and development processes, including the design phase (security by design). They further stress that cybersecurity and privacy should be ensured throughout a product’s entire life cycle and across its supply chain.

In addition, the Council stresses the need for a high level of complementarity and comparability of security functionalities of ICT systems and ICT components used in many different sectors.

Investing in IoT security

The Council observes that public investments in research and innovation (e.g. through Horizon Europe, Digital Europe), as well as private investments, can create incentives to make connected devices safer and more secure.

The need for a horizontal legislation

The Council acknowledges the Commission’s efforts to address cybersecurity for IoT, including through the Radio Equipment Directive (RED). The Council’s document underlines the importance of assessing the need for horizontal legislation in the long-term to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity and confidentiality. A horizontal legislation to complement the RED is currently envisaged by the Commission. It would cover all connected devices and all residual cybersecurity risks. The Council welcomes the discussion to explore the scope of such horizontal legislation and its links with the Cybersecurity Act.

Such horizontal legislation could be complemented by sector-specific regulations for devices with higher security risks.

Certification scheme for IoT

The Council mentions ENISA and its ongoing work on the EUCC and cloud schemes. It observes that these schemes will be relevant foundations to certify connected devices.

The document further states that any additional certification scheme for IoT under the Cybersecurity Act should specify how applicable security requirements at the relevant assurance level should be met on the basis of European and internationally recognised standards, regardless of the sector in which the product is to be used, and which test specifications, certificates etc. are to be applied.

The Council invites the Commission to consider a request for a certification scheme for connected devices and related services, taking utmost account of the horizontal European cybersecurity certification schemes currently being developed. The document mentions the voluntary aspect of certification

Standards: ETSI EN 303 645 mentioned

The Council recommends strengthening efforts undertaken by European Standards Organisations. It considers ETSI EN 303 645 as an important step. Eurosmart contributed to the elaboration of this standard through its consultant, Gisela Meister, who takes part in ETSI TC Cyber.

If you have any questions, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com