Legal_requirements_IoT_security

IoT security is a growing concern when developing connected devices and bringing them to market. However, there is presently a lack of clarity about the different regulations and requirements to respect, as many actors are working simultaneously on certifications, laws and/or standards. To help you figure this out, we’re presenting you very briefly some of the main legal requirements and standards currently in force that apply to consumer IoT devices.

Main Legal Requirements for IoT Security in the European Union

ETSI EN 303 645 « CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements »

Published in June 2020 by the European Telecommunications Standards Institute (ETSI), this standard aims to address the most important and widespread weaknesses. It provides essential basis of security to defend against cyberattacks targeting consumer IoT devices. It also lays the foundations for future IoT certifications.

13 provisions are detailed for the security of connected devices and 5 for data protection. The TS 103 645 technical specification is adapted by this standard.

Learn more about the ETSI EN 303 645 standard

Radio Equipment Directive (RED)

The RED Directive defines technical and administrative requirements for radio equipment. It allows the CE marking, which indicates that a product complies with the standards required for the European market. 

It is up to the manufacturer to demonstrate the conformity of the product, either by internal control or by a notified body that studies the internal control or examines the production system.

Considering that radio equipment is more and more connected, the European Commission is reflecting a specific update of the RED Directive requirements to regulate IoT. A directive to be followed closely, as some announce a publication of the new requirements for the beginning of 2021.

Learn more about the RED Directive

General Data Protection Regulation (GDPR)

As the GDPR concerns the treatment of all personal data of all persons residing in the European Union, connected devices are naturally covered by this regulation, which came into force in May 2018.

The GDPR requires that personal data be protected from the design of a product (Privacy by design) and in the default settings (Privacy by default). 

Compliance with GDPR requirements is an autonomous effort on the part of companies. Heavy fines are foreseen and are starting to be pronounced in case of non-compliance.

The ePrivacy Regulation draft, which is intended to harmonise the GDPR and the 2002 ePrivcy Directive, is still under discussion.

Learn more about the GDPR.

Current Regulation in the United Kingdom

Code of Practice for Consumer IoT Security has been published in 2018 in the UK. It is a guide for good practices for IoT security and focuses on 13 areas. This document aims to help manufacturers, with the guidelines setting practical steps that are outcome-focused.

To strengthen this Code of Practice, which gives guidelines for voluntary actions, the government is currently working on a law. Discussions are underway on how these future legal requirements would be enforced, if resellers would be required to only sell connected products:

  • that will have an IoT Security label
  • or that will comply with the three main guidelines, with self-assessment or through a labelling system,
  • or that will comply with the 13 areas of the code of practice, with self-assessment or through a labelling system.

Currently, the proposition would require that:

  • « All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
  • Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
  • Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online. »

Observing the current code of practice seems to be a good anticipation of the future law.

Read the press release about the proposal

IoT Legal Security Requirements in the United States

The Internet of Things Cybersecurity Improvement Act is a law that was enacted on December 4, 2020.

In a very brief summary, it requires the National Institute of Standards and Technology (NIST) to publish guidelines and standards for the security of all connected devices that will be used and managed by federal agencies. In addition, these agencies must implement policies for responsible disclosure of vulnerabilities.

Although the text does not directly concern the private market for connected devices, it should influence a large majority of manufacturers, who will not wish to lose the markets of the federal agencies.

Learn more about the Internet of Things Cybersecurity Improvement Act

We have chosen to mention only a few regulations that we consider to be the main ones, but take the time to study the legal situation regarding your context or your business objectives. For example, Finland, Singapore, California or Japan has also published specific laws regulating the security of connected devices.

Along with these legal obligations, many organisations are publishing extensive recommendations to support future standards. For example, ENISA, the European Network and Information Security Agency, has issued Guidelines for Securing the Internet of Things (November 2020), Good Practices for IoT and Smart Infrastructures Tool and Good Practices for Security of IoT – Secure Software Development Lifecycle

Professional organisations are also getting organised to support this demand for compliance and are even launching their own certification schemes, such as ioXtCTIA or Eurosmart.

Finally, specialised service providers can assist you on specific topics. For example, you might be interested in our white paper Security of IoT Wireless Technologies or by a pentest dedicated to connected devices.