German EU presidency pushes for cybersecurity ‘by design’ in connected devices

Connected devices in use across the EU should be subject to new cybersecurity standards throughout a product's "entire life cycle," draft Council Conclusions on the subject obtained by EURACTIV say.

The importance of bolstering the bloc's cybersecurity standards has risen rapidly up the EU policy agenda amid the coronavirus pandemic. [Shutterstock]

Laptops, smart phones and other connected devices in Europe should be subject to new cybersecurity standards throughout the “entire life cycle” of products, according to draft EU Council conclusions on the subject, obtained by EURACTIV.

The text from the German Presidency hones in on EU efforts to bolster the cybersecurity of connected devices and makes the case for introducing more robust measures to ensure that the rapid uptake of these products comes with appropriate security and privacy safeguards.

“The increased usage of consumer products and industrial devices connected to the internet will also raise new risks for privacy, information, and cybersecurity,” says the document, which has been circulated among EU nations.

“Cybersecurity and privacy should be acknowledged as essential requirements in product innovation, the production and development processes, including the design phase (security by design), and should be ensured throughout a product’s entire life cycle as well and across its supply chain.”

Connected devices are objects that can connect with each other and other systems via the Internet. They span everything from laptop or desktop computers, to smartphones or tablets, to an increasingly wide range of objects like connected watches and automation and control equipment in homes and factories.

The German EU presidency text on connected devices will be discussed as part of the Council Horizontal Working Party on cyber issues this Friday (6 November). It underlines the necessity of introducing “horizontal legislation in the long-term to address all aspects of ICT security of connected devices, such as availability, integrity, and confidentiality.”

Moreover, such a framework requires “relevant norms, standards or technical specifications for cybersecurity evaluations,” the document adds, citing the EU’s cybersecurity act adopted last year, which included a provision for the establishment of an EU cybersecurity certification framework.

Norms should be established for “different categories of connected devices” depending on their risk profile, the document says.

EU cyber resilience pushed 'to limit' amid Coronavirus, report says

The European Union’s cybersecurity resilience has been pushed to the limit of its capacities as an indirect result of the ongoing public health crisis, warned a new report from the EU’s cybersecurity agency ENISA, published on Tuesday.

Threat Landscape

Amid the coronavirus pandemic, the importance of bolstering the bloc’s cybersecurity standards has risen rapidly up the EU policy agenda, as remote working has increased exponentially and more people have spent time using connected devices at home.

A report published recently by the EU’s cybersecurity agency ENISA stated that the EU’s cybersecurity resilience has been pushed to the limit of its capacities as a result of the ongoing public health crisis.

“While working from home, cybersecurity specialists had to adapt existing defenses to a new infrastructure paradigm, attempting to minimise the exposure to a variety of novel attacks where the entry points are employees’ Internet-connected home and other smart devices,” the agency’s Threat Assessment report 2020 states.

“At the same time and under high-pressure, they had to implement solutions based on previously less trusted components, such as remote access through the public Internet, cloud services, unsecured video streaming services, and mobile devices and apps.”

Meanwhile, earlier this year, concerns had emerged over the resilience of the bloc’s critical infrastructures, particularly health bodies, after reports that some hospitals had come under attacks from foreign agents.

At the beginning of June, NATO released a statement condemning “destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals, and research institutes.”

European Commission President Ursula von der Leyer suggested that China may have been behind a spate of cyberattacks against hospitals in Europe during the coronavirus outbreak, stressing that the EU will not “tolerate” such malicious activity.

Authorities in the Czech Republic had registered attacks on critical national infrastructures in the country, including one particular hit on Brno hospital. The country’s National Cyber and Information Security Authority (NÚKIB) issued a cybersecurity warning at the time.

The attacks prompted the EU executive to deliver a new EU security strategy in July, which included plans to bolster standards for the cybersecurity of European critical infrastructure.

Von der Leyen: Chinese cyberattacks on EU hospitals 'can't be tolerated'

EU Commission President Ursula von der Leyen has accused China of leading a spate of cyberattacks against hospitals in Europe during the coronavirus outbreak, stressing that the EU will not “tolerate” such malicious activity.

NIS Directive Review

On December 15, Commission Vice-Presidents Margrethe Vestager and Margaritis Schinas are set to present the executive’s review of the network and information systems (NIS) directive, which entered into force in August 2016, with nations having to transpose the measures into national law by May 2018.

The rules laid down new standards for cybersecurity capabilities and also introduced requirements for cross-border cooperation and oversight on operators of essential services. The Commission recently closed a public consultation on the efficacy of the measures, the feedback of which will feature in the review.

Jakub Boratyński, a senior official at Commission’s department for communications networks, content and technology (DG Connect), informed EURACTIV earlier this year that a widening of the scope of operators of essential services in the NIS Directive is very likely, considering how vital certain networked tools have become in our everyday lives during the pandemic.

Commission presents security strategy to tackle Europe's evolving threat landscape

Better cybersecurity standards for critical infrastructure, doubling down on tackling terrorism and organized crime, and preparing the bloc for emerging threats in “real and digital” environments, dominated the European Commission’s new EU Security Union strategy, presented on Friday (24 July).
“With …

(Edited by Frédéric Simon)


This stakeholder supports EURACTIV's coverage of Cybersecurity. This support enables EURACTIV to devote additional editorial resources to cover the topic more widely and deeply. EURACTIV's editorial content is independent from the views of its supporters.


Subscribe to our newsletters