Cybersecurity developments – Finnish IoT device label and EU Cybersecurity Act

Finland the first EU country to launch consumer IoT device labelling system

In end November 2019 the National Cyber Security Centre Finland (the Finnish Communications Security Authority within the Finnish Transport and Communications Agency) launched a cybersecurity labelling system by which the basic information security features of IoT devices, aimed at consumers, are guaranteed. The labelling system is based on the draft Consumer Internet of Things standard from the European Telecommunications Standards Institute (ETSI) and the label is awarded any internet connected smart device meeting the required safety standards. The labelling criteria include, amongst others, safe access control, default settings, transfer and storage of personal data and secure ecosystem interfaces.

IoT devices (smart phones and TVs, toys, activity trackers, routers, connected security systems, electronic appliances to name a few) are typically integrated with technology such as microphones, cameras and sensors which enable these devices to collect large amounts of user data. The lack of general binding security requirements exposes these devices to cybersecurity related threats and risks. The cybersecurity label will, naturally, help consumers to identify the more secure options of all IoT devices available on the market.

The Cyber Security Act and introduction of an EU wide voluntary certification scheme for ICT devices

Also on an EU level steps have been taken in order to provide for a clearer and safer cyber environment. On 27 June 2019 the Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communication technology cybersecurity certification (“Cybersecurity Act”) came into force establishing an EU wide cybersecurity framework for ICT products, services and processes. ENISA has, through the Cybersecurity Act, been given a permanent mandate (its limited mandate would have expired in 2020) and it will be responsible for creating the certification schemes, which the European Commission may then adopt.

The Cyber Security Act provides for different levels of assurance that may come with the certification: basic, substantial, or high. These levels correspond to the risk associated with the intended use of the ICT product, service or process in terms of the probability and impact of an incident. National cybersecurity certification authorities in the member states are responsible for implementing and supervising the schemes.

Finnish IoT label, certification and the GDPR

In addition to consumers also controllers and processors of personal data benefit from the Finnish labelling system and, once put in place, from the EU wide certification schemes. A label or certification may be used to prove that the aim of the controller or processor is to comply with the GDPR’s requirements to (i) take privacy aspects into account already from the early design process of a product (privacy/security by design) and (ii) implement appropriate technical and organizational measures to ensure a level of security for the processing appropriate to the risk (the exact measures are to be determined by the controller or processor). While an awarded label or certification does not necessarily release a controller or processor from liability under the GDPR, they still provide guidance for controllers and processors as to how the GDPR’s technical security requirements may be satisfied.

What next?

The Commission shall, by end June 2020, publish a work programme for European cybersecurity certification identifying strategic priorities for future European cybersecurity certification schemes. The work plan shall include a list of ICT products, ICT services and ICT processes or categories thereof that can benefit from being included in the scope of a European cybersecurity certification scheme.

Once relevant schemes have been established manufacturers of ICT products or providers of ICT services may choose to apply for certification of their products, services or processes. Any existing national schemes will be replaced with the EU-wide frameworks prepared by ENISA. These new EU-wide certification schemes will still be supervised in each member state by national supervisory authorities.

The EU-wide certification scheme has, however, also received some criticism. The ENISA Advisory Group’s working group on cybersecurity (from a consumer perspective) has in September 2019 published its opinion addressing its concerns over the fact that the EU-wide certification scheme is voluntary. According to the opinion this is contrary to EU product safety rules since consumers cannot trust that their connected IoT devices are cybersecure and many organizations may not prioritize certification due to the lack of regulatory and economic incentives. The above working group calls for mandatory certification schemes, which may become reality since the Cybersecurity Act requires the Commission to periodically assess whether specific cybersecurity requirements should be made mandatory for certain ICT products, services and processes.

For further information please contact:

Charlotta Sittnikow

Counsel