5/20
  • Pages
01 Cover
02 Foreword
03 Technology
04 Is the proposed European AI Act innovation friendly
05 How is EU cybersecurity law affecting IoT product design?
06 Will mid-market tech M&A buck the trend in a downturn?
07 The rise of IP disputes in relation to NFTs
08 The new era for data regulation and what it means for the tech sector
09 Can combining digital twins and the Internet of Things unlock value?
10 Media
11 European regulators set to clamp down on 'dark patterns'
12 The streaming war intensifies with the rise of FAST
13 Building the metaverse: what can we expect in 2023?
14 How performance data is transforming the business of sport
15 How advertisers need to get ahead of the Web3 evolution and its legal ramifications
16 Communications
17 The role of the Internet of Things in the TMC race to net zero
18 Will 2023 be the year 5G private infrastructure and networks finally arrive?
19 Is consolidation in the telecoms industry in the interests of consumers?
20 Disclaimer

Technology

Technology
The importance of software compliance in digital transformation
Is the proposed European AI Act innovation friendly?
How is EU cybersecurity law affecting IoT product design?
Will mid-market tech M&A buck the trend in a downturn?
The rise of IP disputes in relation to NFTs
The new era for data regulation and what it means for the tech sector
Can combining digital twins and the Internet of Things unlock value?
Back to Foreword

How is EU cybersecurity law affecting IoT product design?

Snapshot

  • The EU's strategy on cybersecurity has the potential to be a game changer for product design, business models and distribution of IoT products across Europe
  • The proposed Cyber Resilience Act addresses manufacturers and also imposes obligations on importers and distributors of IoT devices, with an emphasis on security by design
  • Provides an impetus for businesses to carefully consider cybersecurity when designing and manufacturing connected devices, throughout the whole lifecycle of a product

For manufacturers of Internet of Things (IoT) products or businesses looking to digitalise their operation, the first question when designing or procuring IoT systems is unlikely to be "could this product serve as an attack vector for malicious actors?" However, the EU's proposed Cyber Resilience Act (CRA) intends to make sure this question is on the agenda.

We are living through an explosion in the number of network-connected objects around us, with an estimated 25 billion IoT devices in use in 2021. However, a European Commission study has found that only half of all relevant companies apply adequate safeguards against cyberattacks, and that two-thirds of cyberattacks come from previously detected breaches that businesses failed to fix. A recent study reported a 30% increase in attacks targeting IoT systems during 2020, when the coronavirus pandemic struck.

Further Osborne Clarke Insights

> Our new products are connected – what implications does that have?
> Managing legal risk from IoT systems in business premises

What are connected IoT devices?

These are products or sensors that have the ability to connect to a network, either directly or indirectly, such as via Wi-Fi, Bluetooth or 4G-5G, and can receive, store, process or transmit data; examples include drones, robots working on an assembly line, wearables gathering critical health data about a patient, or "smart" lightbulbs.

What is security by design?

This is the practice of developing or designing products and services with security in mind from the outset.

Why are new requirements for IoT devices necessary?

Cybersecurity, as it applies to the development or design of the product, is an area of compliance not covered by the particular regulatory regime. Since 2020, a European Standard on Connected Device Security (EN303 645) has provided cybersecurity best-practice guidance in the form of outcome-focused principles. In the UK, since 2018 there has been a government-backed code of practice for consumer IoT security. However, these codes and standards have all been non-binding and voluntary in their implementation.

Existing regulation has only indirectly addressed the risks associated with cybersecurity of IoT devices. The General Data Protection Regulation (GDPR) requires data controllers to take appropriate measures to ensure the security of the processing of personal data. However, it does not address key members of IoT supply chains (such as manufacturers, importers or distributors of devices) nor does it apply to IoT risks beyond those associated with personal data, such as risks to the integrity of IT infrastructure. Other EU legislation has similar shortcomings, such as the Network and Information Systems Directive, which is limited to operators of essential services and key digital service providers.

As proposed, the CRA is a regulation specifically for IoT devices in the EU to address regulatory gaps and strengthen the security of the whole IoT value chain. It places specific obligations within the regulatory framework for product compliance. IoT devices will be required to meet essential safety and product compliance requirements before they are able to be placed on the market in the EU. Conformity with the essential requirements will be demonstrated by displaying the CE mark. Failure to comply will lead to enforcement in individual Member States, which may include potential criminal liability.

What are the requirements?

There will be an impetus for businesses to carefully consider cybersecurity when designing and manufacturing connected devices, throughout the whole lifecycle of a product. Manufacturers will be required to factor cybersecurity into the design, development and production of products with digital elements. They will also be required to exercise ongoing due diligence on security aspects. And they will need to comply with mandatory vulnerability handling requirements.

Regulating IoT products in this way places conformity with cybersecurity standards (at the time of design and manufacture, and on an ongoing basis) at the same level of legal priority and significance as physical design requirements. There is also scope for the CRA to apply to devices which are already on the market if they receive a software update which changes their intended use, or affects their compliance with the regulation's essential cybersecurity requirements.

Alongside GDPR-style percentage of worldwide turnover fines which can be applied by regulators for non-compliance with the CRA, the EU's proposed revised Product Liability Directive will also make damages available for products that do not provide the level of safety expected by the public. Consumers may also be entitled to legal remedies where cybersecurity vulnerabilities lead to the loss or corruption of data or when a safety issue arises due to a lack of security updates after a product has been sold.

These future EU laws are still progressing through the legislative process and are subject to potential amendments. However, it is certain that security by design will be firmly placed at the heart of the design of IoT products and remain an important element of compliance throughout the product's lifecycle. The CRA addresses manufacturers but also imposes obligations on importers and distributors of IoT devices. The EU's strategy on cybersecurity has the potential to be a game changer for product design, business models and distribution of IoT products across Europe.

Authors

Thomas Stables, Lead author Associate, UK thomas.stables@osborneclarke.com +44 207 105 7928

Katie Vickery Partner, UK katie.vickery@osborneclarke.com +44 20 7105 7250

Laurène Zaggia Counsel, France laurene.zaggia@osborneclarke.com +33 1 84 82 45 98

Adrian Schneider Partner, Germany adrian.schneider@osborneclarke.com +49 221 5108 4370

Tobias Rothkegel Counsel, Germany tobias.rothkegel@osborneclarke.com +49 40 55436 4054

Further Osborne Clarke Insights

> Our new products are connected – what implications does that have?
> Managing legal risk from IoT systems in business premises
Technology
The importance of software compliance in digital transformation
Is the proposed European AI Act innovation friendly?
How is EU cybersecurity law affecting IoT product design?
Will mid-market tech M&A buck the trend in a downturn?
The rise of IP disputes in relation to NFTs
The new era for data regulation and what it means for the tech sector
Back to Foreword
Back to top