Commission to work on standards for high-risk IoT products under cyber rules
The European Commission will work on cybersecurity standardisation requests for high-risk connected products as soon as the Cyber Resilience Act (CRA) is fully adopted, a commission official said today (21 March).
“We have already one request out for consultation and we will send out the official one [to standardisation bodies] as soon as the CRA is approved,” Christiane Kirketerp de Viron, head of DG Connect's cybersecurity and digital privacy policy unit, said at an event organised by the Cybersecurity Coalition.
Proposed by the commission in 2022, the CRA aims to ensure that items with digital features, including everyday Internet-ofthings products like connected doorbells and baby monitors as well as industrial machinery, are secure to use, resilient against cyber threats and provide enough information about their security properties.
So-called critical products will be examined more stringently by an oversight body, while those more low-risk are managed internally by manufacturers.
“We need to be smart in the requests, we will not be able to have standards for everything that the CRA covers straight away. We need to prioritise and look first at those that give conformity to the critical products,” she added.
EU executive will tomorrow (22 March) host a standards-related workshop with member states.
Commission evaluating role of ENISA amid deadlock over cyber certificates Belgium tries to break cybersecurity certificate deadlock
The CRA was approved in the European Parliament earlier this month (12 March) after a political deal late last year and is now awaiting formal adoption by the EU member states, before it will enter into force.
In addition to standards, the commission will also prepare implementing acts and delegated acts - secondary legislation - this year, as well as issue guidelines to companies.
Under the rules, producers of IoT devices can only launch products on the EU market if they know it does not have any significant vulnerabilities can that be hacked. Whenever they become aware of incidents or hacks, they will have to report this to the relevant authorities.