New EU Cybersecurity Act: IoT

The drafting of legislation like the European Cyber Resilience Act (CRA) —imposing better cybersecurity requirements to manufacturers of connected devices, products and services— was long overdue. The legislation will help to enforce common cybersecurity standards and reassure consumers that the internet connected “things” they buy are secured to, at least, the required level of the European market.  

“It is crucial for the EU to reap all the benefits of the digital age and to strengthen its industry and innovation capacity, within safe and ethical boundaries.” 

The EU Cybersecurity Act and IoT consumers 

For more than 30 years, the Internet of Things (IoT) has been one of the main drivers of the Digital Transformation. IoT has completely changed industries and has helped businesses find new models to stand out and succeed in today’s markets. Still, with all the benefits that come with having connected products or digitalizing businesses, poorly choosing your company’s IoT partner or products comes with significant risk.  

When everything is connected, a cybersecurity breach can lead to significant economic costs as it can affect entire systems and disrupt activities. In that sense, through its objectives, the proposed CRA legislation aims for consumers to:  

1. Have access to more secure and less vulnerable hardware and software products.  
2. Have sufficient understanding about security information and properties of the connected products they buy and use. 
3. Know that manufacturers are held accountable for the security of the connected products and software from the design phase and throughout the entire lifecycle. 

What to keep an eye on? 

Keeping IoT systems and connected products secure is an ongoing task. In that sense, you need to make sure that your IoT solutions provider prioritizes security, invests in it and works on it regularly and continuously.  

When evaluating which IoT partner to trust with the creation of your company’s IoT solution, make sure to ask questions. For example: 

• Do they create IoT products that are prepared not only for the security requirements of today but also for tomorrow?  
• What engineering techniques and good practices are followed?  
• Do they automate and standardize as many steps as possible to decrease the chances of human error?  
• Do they secure every component in the system in more than one way?  
• Do they have cybersecurity knowledge in-house?  

And, in their answers, take notice of the following key words and practices:  

• Routine risk assessments. 
• Implementation of several layers for every risk mitigation.  
• Penetration tests.  
• Continuous monitoring of the system.  
•  Over-the-air (OTA) updating.  
• Secure Elements and individual encryptions per device.  
• Designing systems from the ground-up (no bolt-on engineering).  

“An IoT solution is only secure if each one of its components is.” 

EVALAN’s approach 

At EVALAN we regard security as essential, which is why we put extra development time, extra testing and extra investment into it. Our security by design strategy has a comprehensive approach that requires us to incorporate multiple policies and best practices from initial stages, across the entire system and throughout its lifecycle. 

Furthermore, knowing how challenging it is for clients to have to deal with diverse vendors with different expertise to get one IoT solution, EVALAN decided to focus in developing solutions that are centered on the most critical link in the IoT chain. This allows us to ensure the highest security for our clients, while providing them with only one vendor to deal with and a single point of ownership when they need support.  

Finally, since all our IoT solutions are built with security in mind, our clients will always have the possibility to scale as their company grows, without introducing vulnerabilities to the IoT system.  

Where is the CRA now? 

Currently, the CRA is being reviewed by the European Parliament and the Council for subsequent adoption. Once adopted, all Member States must approve its requirements within two years. In that sense, all manufacturers of products with “digital elements” that are interested in selling their products in the European market must be prepared to comply with the CRA.