September 22, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

ENISA and Semiconductor Companies Seek Cybersecurity Standards from European Commission

The European Union Agency for Network and Information Security (ENISA), along with three semiconductor companies, recently released a position paper proposing a position for the European Commission (EC) on security and privacy standards as they relate to Internet of Things (IoT) devices. ENISA is an agency established by the European Union to assist the EC, its member states, and businesses in addressing, responding to, and preventing cybersecurity issues. The paper points out that as IoT devices expand into all aspects of everyday life, including critical infrastructure and health systems, cyberattacks are becoming more threatening and more risky. The paper includes four key recommendations.

First, the EC should define a framework to ensure minimal security requirements for connected devices. This framework should include a baseline security certification addressing IoT devices, commercial off-the-shelf (COTS) products and services, and products with short life cycles. The framework should also include a European trust label for connected devices that clearly indicates to consumers that the products meet established security guidelines.

Second, the EC should ensure that reliable processes and services are being developed and implemented by IoT manufacturers. The EC should promote awareness of existing security features such as encryption and strong authentication, and support the continued study of and improvement upon such existing security features.

Third, the EC should encourage the development of minimal requirements and common principles that should also be considered in future revisions of existing legislation and new legislative initiatives. In developing these requirements and principles, commonalities should be used across various sectors of the economy (e.g., healthcare, energy, transportation) to minimize the amount of standards for similar certifications. The requirements and principles should also take into account safety where human lives would be endangered by cyberattacks (e.g., cyberattacks in the automotive or healthcare sectors).

Lastly, the EC should strive to create a level playing field, which could include a “Digital Security Bonus” as a reward for implementing good security practices, as well as an enforceable set of penalties for dealing with vendors that abuse established practices or deliver counterfeit products.

Whether the EC adopts any portion of the proposal remains to be seen. We noted there was growing concern by members of US Congress over regulation of IoT devices. In the United States, both the Federal Trade Commission and the Department of Homeland Security have issued guidance to IoT manufacturers, but compliance with such guidance is voluntary.

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Emily Lowe, Corporate finance Attorney, Morgan Lewis
Of Counsel

Emily R. Lowe represents clients in commercial transactions, with a focus on the acquisition, use, protection, development, and commercialization of technology and biotechnology. Emily helps domestic and international companies commercialize their products through various commercial vehicles, including manufacturing and supply agreements and distribution strategies, and development and licensing agreements.

412.560.7438
Katherine B. O'Keefe, Morgan Lewis, Technology Lawyer
Associate

Katherine B. O’Keefe is part of a team that handles critical commercial transactions that enable our clients to run their business operations effectively. The team is focused on technology transactions, including licensing, services, and alliance deals that involve emerging technologies such as cloud computing, software as a service (SaaS), and data analytics. Our technology, outsourcing, and commercial transactions lawyers assist clients in managing their online presence, from website development, hosting, and maintenance; to privacy and use policies; to data breach and retention issues.

215-963-5564