Waselius & Wist Navigation
  • Our team
  • In Focus
    • Recent Work
    • News
    • Legal Updates
    • Publications
    • Rankings
    • Blog
    • Newsletter
  • About Us
    • Corporate Social Responsibility
  • Expertise
    • Banking and Finance
    • Capital Markets
    • Corporate and Commercial
    • Corporate governance and Investigations
    • Data Protection
    • Dispute Resolution
    • Employment and Incentives
    • Energy and Natural Resources
    • EU and Competition
    • Financial Regulatory and Compliance
    • Insurance
    • Intellectual Property and Technology
    • Marketing
    • Mergers and Acquisitions
    • Private Equity
    • Real Estate
    • Restructuring and Insolvency
    • Tax and Structuring
  • Careers
    • Lawyers
    • Law students
    • Support staff
    • Open Positions
    • Contact
  • Contact
  • Our team
  • In Focus
    • Recent Work
    • News
    • Legal Updates
    • Publications
    • Rankings
    • Blog
    • Newsletter
  • About Us
    • Corporate Social Responsibility
  • Expertise
    • Banking and Finance
    • Capital Markets
    • Corporate and Commercial
    • Corporate governance and Investigations
    • Data Protection
    • Dispute Resolution
    • Employment and Incentives
    • Energy and Natural Resources
    • EU and Competition
    • Financial Regulatory and Compliance
    • Insurance
    • Intellectual Property and Technology
    • Marketing
    • Mergers and Acquisitions
    • Private Equity
    • Real Estate
    • Restructuring and Insolvency
    • Tax and Structuring
  • Careers
    • Lawyers
    • Law students
    • Support staff
    • Open Positions
    • Contact
  • Contact
In Focus
Home In Focus Cybersecurity developments - Finnish IoT device label and EU Cybersecurity Act

Legal Updates23.12.2019

Cybersecurity developments – Finnish IoT device label and EU Cybersecurity Act

Finland the first EU country to launch consumer IoT device labelling system

In end November 2019 the National Cyber Security Centre Finland (the Finnish Communications Security Authority within the Finnish Transport and Communications Agency) launched a cybersecurity labelling system by which the basic information security features of IoT devices, aimed at consumers, are guaranteed. The labelling system is based on the draft Consumer Internet of Things standard from the European Telecommunications Standards Institute (ETSI) and the label is awarded any internet connected smart device meeting the required safety standards. The labelling criteria include, amongst others, safe access control, default settings, transfer and storage of personal data and secure ecosystem interfaces.

IoT devices (smart phones and TVs, toys, activity trackers, routers, connected security systems, electronic appliances to name a few) are typically integrated with technology such as microphones, cameras and sensors which enable these devices to collect large amounts of user data. The lack of general binding security requirements exposes these devices to cybersecurity related threats and risks. The cybersecurity label will, naturally, help consumers to identify the more secure options of all IoT devices available on the market.

The Cyber Security Act and introduction of an EU wide voluntary certification scheme for ICT devices

Also on an EU level steps have been taken in order to provide for a clearer and safer cyber environment. On 27 June 2019 the Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communication technology cybersecurity certification (“Cybersecurity Act”) came into force establishing an EU wide cybersecurity framework for ICT products, services and processes. ENISA has, through the Cybersecurity Act, been given a permanent mandate (its limited mandate would have expired in 2020) and it will be responsible for creating the certification schemes, which the European Commission may then adopt.

The Cyber Security Act provides for different levels of assurance that may come with the certification: basic, substantial, or high. These levels correspond to the risk associated with the intended use of the ICT product, service or process in terms of the probability and impact of an incident. National cybersecurity certification authorities in the member states are responsible for implementing and supervising the schemes.

Finnish IoT label, certification and the GDPR

In addition to consumers also controllers and processors of personal data benefit from the Finnish labelling system and, once put in place, from the EU wide certification schemes. A label or certification may be used to prove that the aim of the controller or processor is to comply with the GDPR’s requirements to (i) take privacy aspects into account already from the early design process of a product (privacy/security by design) and (ii) implement appropriate technical and organizational measures to ensure a level of security for the processing appropriate to the risk (the exact measures are to be determined by the controller or processor). While an awarded label or certification does not necessarily release a controller or processor from liability under the GDPR, they still provide guidance for controllers and processors as to how the GDPR’s technical security requirements may be satisfied.

What next?

The Commission shall, by end June 2020, publish a work programme for European cybersecurity certification identifying strategic priorities for future European cybersecurity certification schemes. The work plan shall include a list of ICT products, ICT services and ICT processes or categories thereof that can benefit from being included in the scope of a European cybersecurity certification scheme.

Once relevant schemes have been established manufacturers of ICT products or providers of ICT services may choose to apply for certification of their products, services or processes. Any existing national schemes will be replaced with the EU-wide frameworks prepared by ENISA. These new EU-wide certification schemes will still be supervised in each member state by national supervisory authorities.

The EU-wide certification scheme has, however, also received some criticism. The ENISA Advisory Group’s working group on cybersecurity (from a consumer perspective) has in September 2019 published its opinion addressing its concerns over the fact that the EU-wide certification scheme is voluntary. According to the opinion this is contrary to EU product safety rules since consumers cannot trust that their connected IoT devices are cybersecure and many organizations may not prioritize certification due to the lack of regulatory and economic incentives. The above working group calls for mandatory certification schemes, which may become reality since the Cybersecurity Act requires the Commission to periodically assess whether specific cybersecurity requirements should be made mandatory for certain ICT products, services and processes.

For further information please contact:

Charlotta Sittnikow

Counsel

Share:
Image

Contact info

Eteläesplanadi 24 A
00130 Helsinki, Finland

+358 9 668 9520
+358 9 668 95 222
ww@ww.fi

Quick links

  • Our Team
  • In Focus
  • About Us
  • Expertise
  • Careers

E-invoicing

E-address: 003710525214
Operator: Apix Messaging Oy
Service ID: 003723327487


BUSINESS ID 1052521-4
VAT ID FI10525214

Legal notice
Privacy notice
General Terms and Conditions

© 2022 Waselius & Wist

This website uses cookies to compile statistical data on the use of our website in order to enable us to evaluate and improve our site. OK Decline Cookie Policy
Manage Cookies

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT