This article is part of our special report #SOTEU: Key issues from von der Leyen’s annual speech.
European Commission President Ursula von der Leyen announced on Wednesday (15 September) a Cyber Resilience Act aimed at setting common cybersecurity standards for connected devices.
“We cannot talk about defence, without talking about cyber,” von der Leyen said in her annual State of the Union speech in Parliament.
“If everything is connected, everything can be hacked,” she added noting that the growing number of connected devices also increases vulnerability to cyber attacks.
According to von der Leyen, the rapid spread of digital technologies “has been a great equaliser in the way power can be used today by rogue states or non-state groups” to disrupt critical infrastructures such as public administration and hospitals.
“And given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, we should also strive to become a leader in cyber security,” the Commission president said.
The Commission initiative adds to an existing proposal for a Directive on Security of Network and Information Systems, commonly known as the NIS2 Directive. NIS2 expands the scope of the previous directive, by raising the cyber security requirements for digital services employed in critical sectors of the economy and society.
Bart Groothuis, the lawmaker leading on the NIS2 file in the European Parliament, emphasises the complementarity of the two EU laws. While NIS2 addresses the security of critical supply chains, he says connected devices are a blind spot in the EU cybersecurity arsenal.
“The internet of things will bring about a great deal of unsecured products, because security is often not on top of the mind of the producers of such machines. And there is no European standard yet to be upheld. It’s nice to have a pulled pork machine in your kitchen, or a smart coffee machine, but it is also a way hackers can enter your home IT systems,” Groothuis told EURACTIV.
That is precisely what was shown in the Hackable Home, a project led by a campaign group called Euroconsumers, which illustrated through ethical hacking how most smart home devices lacked even basic cybersecurity standards.
“We’ve been long advocating for this to ensure consumers’ safety across the EU,” said Els Bruggeman, head of policy and enforcement at Euroconsumers. “If the Commission wants to become a leader in Cybersecurity, it must work on a common EU approach to cyber threats that enables consumers trust in the IoT,” Bruggeman added.
Similar concerns on the need to define baseline cybersecurity requirements were also raised by DigitalEurope, the leading Europe’s digital industries. In a recent report, the trade association warned that existing product safety regulations failed to set cybersecurity obligations for connected devices.
While welcoming the Cyber Resilience Act, DigitalEurope director-general Cecilia Bonefeld-Dahl cautioned about the proliferation of EU proposals to regulate the cyber environment.
Besides the NIS2 directive, several proposals are on the table including a Directive on the resilience of critical entities, the more sectorial Digital Operational Resilience Directive, and several regulations on product safety, she pointed out.
“We need more harmonised targets and easy implementable rules if we want to achieve the right protection for Europeans and help the European industry build cyber security capabilities at scale,” Bonefeld-Dahl said.
MEP Groothuis, for his part, called for an EU-wide Domain Name System (DNS). DNS are critical infrastructures for the global internet governance and are operated by a handful of non-European entities, which makes it difficult for EU countries to address large-scale cyberattacks or vulnerable to geopolitical tensions.
“When I worked at the Dutch Ministry of Defence as head of cyber security, I had to deal with the devastating NotPetya Attacks from Russia, and the Wannacary worm from North Korea that both inflicted billions of damages to European businesses,” Groothuis said.
According to him, the Dutch authorities at the time were unable to stop these attacks, even though they knew the domains and servers used by the hackers.
For the Dutch lawmaker, an EU DNS alternative is “the only way to create such a shield, and protect Europe.” In its cybersecurity strategy, the Commission stated its intention to develop a European DNS resolver service, DNS4EU, but the proposal is yet to be defined.
[Edited by Frédéric Simon]