top of page

The (close) future of consumer IoT cybersecurity regulation

Updated: Jun 13, 2020

On 11 June, ETSI – a European Standards Organisation – held a webinar on consumer Internet of Things (IoT) cybersecurity considerations and certification, as part of their Annual Cybersecurity Week. 


Indeed, such discussions are rather technical and get become quickly boring and overwhelming. Yet, there is much information hidden in them from a regulatory and lobbying perspective, too.


Overall, it seems that the existing standard EN 303 645 is the baseline everywhere (with TS 103 546 and TS 103 701) when one discusses certification and standardization of consumer IoT products. Deliveries from ETSI in this regard are expected within months. 


If all goes according to the plan, the “new” IoT standard updates will be modernized yearly, until 2024 at least. Once the EN standard is published, it has to be continuously updated to reflect rapidly coming technical changes. More work on vertical standards and the guidance document will be published, certain classes of consumer IoT will also be included and examined. 


This means that connected digital products that consumers would typically use in their homes (home routers, smart lighting solutions, smart locks, etc.) are going to be affected by the yet-to-come modifications. However, ETSI also underlined that EN 303 645 is limited to the device itself and does not cover how related services (data treatment caught by these IoT devices) work. Nor does it to the labelling of IoT products, or even non consumer IoT products (e.g., street cameras). The EN standard is not meant to be directly implemented in a regulation but rather to give guidance to manufacturers. 


The ETSI observations also resonated the European Union’s ambitions regarding the Cybersecurity Act and the ongoing work regarding the Radio Equipment Directive’s articles 3, 4.


Given the patchwork of the European cybersecurity certification sphere - international vs proprietary standards -, it was emphasized that one national case, the UK regulation of IoT products, remains to be a priority for the Johnson government and further information will be published before the end of July 2020. 


If your business is around IoT products in the consumer segment, you should be preparing and paying close attention to the relevant EU public consultations, ETSI publications, CEN-CENELC work and national legislations. New requirements won't come overnight but they can cost quite a few euros to implement.



0 comments

Recent Posts

See All

Comments


bottom of page