Cyber Resilience Act to address the safety of smart homes

The European Commission today unveiled its Cyber Resilience Act which aims to address market needs and protect consumers from insecure products through the introduction of common cybersecurity rules. 

Today, we live in an ever-increasingly digitalised world. Advances in technology have changed our daily routines and how we’ve come to view the home. According to the latest APPLiA Statistical Report, the number of users of smart appliances in the EU is expected to match the population of Australia by 2024. Without doubt, connected devices are here to stay.  The place we call home has evolved from simply being a physical space to an immersive connected environment. All the data and information produced by the interactions that occur every day between us and our smart applications, are a critical part of it. Securing them against any potential threat is as fundamental as locking the front door, when leaving the house in the morning. Ordinary, right? 

The European Commission today unveiled its Cyber Resilience Act which aims to address market needs and protect consumers from insecure products through the introduction of common cybersecurity rules. 

Acting as a ‘one-stop shop’ for digital devices, “the implementation of a centralised legal reference point would make it easier for manufacturers to abide by, avoiding repetition and conflict of regulations,” explained Paolo Falcioni, APPLiA Director General, shedding light on the importance for white goods manufacturers to have one, single, legal reference for product regulation on cybersecurity. The establishment of a horizontal regulatory approach introducing cybersecurity requirements for a broad scope of tangible and non-tangible digital products would in fact provide legal certainty for businesses, lower prices for consumers, and make EU industries more competitive on the global market, showcasing European cybersecurity standards globally.

When it comes to setting standards, each connected product faces its own level of cybersecurity risk. Standards on cybersecurity must be set for each product in direct correlation with the amount of risk it poses. Take for example the exchange of data when using your washing machine versus using your mobile banking app. It’s clear that both applications present varying levels of cybersecurity risk. Here, we can classify the mobile banking application as ‘high risk’ and the washing machine data as ‘low risk’, which standards must reflect. To strike a balance, a clearly defined boundary should exist to distinguish between low and high-risk products and the subsequent standards each product must adhere to. 

“High cybersecurity standards have a key role to play in creating a robust EU cybersecurity system for all economic operators, to guarantee EU citizens safe usage of all products,” outlined APPLiA’s DG. While legislation provides the essential requirements, common specifications, via implementing acts,  should be utilised as a ‘plan B’, determined by EN Standards. While the industry stresses the importance of standardisation as the optimal route to ensuring user safety, common specifications create a viable alternative to address cybersecurity issues on a product-by-product basis, but should only be triggered if a traditional standard-making process fails. 

Overall, the establishment of common standards that apply across the whole of the EU Single Market benefits all actors. An underdeveloped ecosystem, with a fragmentation of legislations and standards which do not reflect the ever-growing cybersecurity risk of products, could drastically fall short on the security side for European consumers. “The safety of our homes can no longer be viewed in only the physical sense,” stressed Falcioni. Connected, digital homes offer great technological advances reimagining how we live, yet these advancements can only be reached through an applicable set of standards which correspond to the levels of cybersecurity risk faced by each product.