The Internet of Things, or IoT for short, is becoming increasingly important not only in the corporate world. IoT products are also increasingly being used in city and municipal government in the smart city sector. The same applies to private homes. There, too, many kitchen appliances as well as toys for children are equipped with WLAN. Due to the increased use, the European Commission has passed the Cyber Resilience Act.
Cyber Resilience Act for secure IoT products
The high number of different IoT products poses a threat to security. For example, the optimally protected network in the home is of little use if a criminal can hack into the home network unnoticed via the WLAN toaster. From there, the perpetrators then manage to switch on webcams or phones unnoticed.
This would allow the residents to be spied on without much effort. Sometimes, the criminals even manage to access the end devices that are logged into the respective WLAN. Then, despite good security measures, they could obtain access data or credit card details. The European Commission therefore sees an urgent need for action.
Numerous manufacturing and processing companies also have IoT products that exchange data with each other. Security standards must therefore be introduced there as well. The European Commission has responded to this with the Cyber Resilience Act.
What is stipulated in the Cyber Resilience Act?
It’s about the European Union setting guidelines for the security of all IoT products. Manufacturers of components for the Internet of Things will be required to ensure security at all stages of development and manufacturing. It starts with the design and development of new products. Then it goes through production as well as further processing or refinement. All steps up to delivery to the customer should be monitored.
In this way, weak points can be identified and eliminated at an early stage. There is also an obligation for the maintenance and care of the IoT products. This mainly involves updates. These should be made available for each product for a period of at least five years.
There are three security classes
The Cyber Resilience Act naturally took into account that there are major differences in security requirements. Therefore, three different security tiers have been established. The simplest level is called “standard.” This level includes IoT devices that are not exposed to any particular security risks. These include household appliances and children’s toys, among others.
The “First Critical Class” already includes more important components. These may be password managers or firewalls. For components in this class, end users must take care of the required security themselves. If they cannot meet this requirement, there is an obligation to commission external companies to do so.
In addition, the European Commission has established the “high-risk class”. This is the highest level. It includes operating systems as well as the security software used in companies. The Cyber Resilience Act states that IoT products in the highest tier must be tested by third-party vendors.
With the Cyber Resilience Act, the European Commission wants to ensure that IoT products basically meet a high security standard. It is not only companies that suffer from cyberattacks. Ultimately, all consumers also feel the consequences.