No mandatory cybersecurity certifications for European IoT devices

Not everyone is completely satisfied with the European Union’s proposed Cybersecurity Act – the text does not cover mandatory cybersecurity certifications for IoT devices, effectively leaving a huge attack vector wide open.

These certifications would basically ensure that the product in question complies with international standards, has no vulnerabilities, and that only the authorised individuals can use it. However, parliament only seems to want the certifications to cover things like the energy infrastructure.

According to Monique Goyens, director general of the European consumer organisation BEUC, connected devices that don’t follow the proper security standards could open the floodgates for a huge cybersecurity crisis. Due to this, consumer groups have long been pushing for the following cybersecurity requirements:

– Encryption

– Strong passwords

– Security updates

For the last year or two, national watchdogs have kept warning us about the potential ramifications of non-secure connected products. For example, cybersecurity flaws in these devices could allow a stranger to talk to your kids, and flaws present in smartwatches could seriously impede on one’s privacy.

Besides, compromised IoT devices could easily be added to a botnet, the consequences of which can be absolutely devastating, as demonstrated by the havoc caused by the Mirai botnet.

Even though the Cybersecurity Act fails to address these concerns, there may be another hope. Currently, the European Council is negotiating the details of the Digital Content Contracts Directive. Even though it’s meant for protecting consumers when buying digital services and content online, the law would also cover embedded software.