Margaritis Schinas, one of the many vice presidents of the European Commission, holds his phone above his head behind the podium in the press room. Something is bothering the 60-year-old Greek.
“Everything on the outside of my phone is regulated and has to comply with security standards. But there are no rules for what happens on the inside of this device,” Schinas says. His portfolio at the European Commission: Promoting the European way of life.
With the new law that the European Commission has proposed today, that is set to change. Any device that can be directly or indirectly connected to a network will be subject to mandatory security standards. It should become more difficult, if not impossible, to hack them. Just as every toy, piece of clothing and battery or pot of paint that can be sold in Europe is already subject to a range of legal requirements on such things as flammability and toxicity.
The Internet of Things is enormous
Standing next to Schinas is another European commissioner: Frenchman Thierry Breton, responsible for the goings-on of the internal market. He, too, is holding a gadget in his hand – a white security camera just like those hanging in countless stores and government buildings.
Around 75 billion such devices worldwide are expected to be connected to the Internet by 2025. To put it figuratively, Breton says the internet of things will then comprise ten times as many devices as there are people on the planet. From coffee makers to refrigerators to wireless speakers and so on and so on.
The goal of political intervention in the market for Internet gadgets is not aimed at making sur that it should become impossible to hack devices. There is no such thing as hundred percent security, says Breton, who reminds the handful of journalists in the room that he graduated as a computer scientist once upon a time.
Each and every one of these devices, in the eyes of Brussels politicians, are machines that pose a risk to the security of citizens and businesses. The lack of mandatory standards for hardware and software make them backdoors that hackers can exploit to break into the systems of citizens and companies. Our privacy and data is at risk.
The economic damage caused by a successful hack and installation of ransomware, for example, is immense. According to the Commission, in Europe it amounted to at least €20 billion by 2021.
Everything safe for five years
To put an end to this, all products that can be connected to the Internet must comply with a digital CE standard. Manufacturers will be under an obligation to factor cyber security into the entire production chain. From the initial planning stage, through design and development to production, delivery and maintenance.
Moreover, potential hacking risks must be documented and publicized and manufacturers have to report any successful hacking attempts. Products must also ensure that users can be reassured that their devices are safe for at least five years. For instance, by offering software updates.
Three sorts of products
In the draft legislation, the Commission defines three categories of products: ‘standard’, ‘critical class 1’ and ‘critical class 2’. For the first group of products (ninety percent of the overall total), industry self-regulation will become the norm. Think of devices like hard drives and smart speakers. It also includes software programs such as word processors and editiing programs.
The other two categories of products will be subject to stricter requirements. They will have to comply with official standards (critical class 1) or even be tested by an independent party before being permitted on the market (critical class 2).
Falling under the first group are programs for managing passwords, firewalls and network interfaces. The group with the toughest requirements covers operating systems and industrial firewalls, to name a couple of examples. Enforcement of the new standards is a matter for the European member states. National regulatory bodies will have the power to penalize manufacturers who fail to comply. Fines can be as much as 1 percent of a company’s revenue. It will take several years for the legislation to come into effect across the European Union. These standards will apply to products new to the market once the law is formally in place.
Commissioners Schinas and Breton hope that their law will become the norm around the world. The European single market is the first continent that welcomes these kinds of digital standards, but they claim that this will ultimately go beyond Europe. “We want to provide answers to questions that have not yet been answered in the United States and are not even being asked in China,” Schinas stated.
When quizzed by the press, the pair had to acknowledge that there is some tension between the fight against hacking and the needs of European security services. Schinas specifically made it clear that the use of spyware will not be banned per se. Police forces will need to maintain their digital detection capabilities. It is only its malicious use that should be prevented.