![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
This article aims to cast light on how the fast-evolving European cybersecurity regulatory framework would impact the Internet of Things (IoT) domain. The legal analysis investigates whether and to what extent existing and proposed sectoral EU legislation addresses the manifold challenges in securing IoT and its supply chain. It firstly takes into account the Cybersecurity Act, being the most recent and relevant EU legal act covering ICT products and cybersecurity services. Then, EU product legislation is scrutinised. The analysis focuses on the delegated act recently adopted by the Commission under the Radio Equipment Directive (RED), strengthening wireless devices’ cybersecurity, the Medical Devices Regulation, the Proposal for a General Product Safety Regulation and the Proposal for a Machinery Regulation. Lastly, the proposal for a revised Network and Information Systems Directive (NIS2) is assessed in terms of its potential impact on the field of IoT cybersecurity. Against this backdrop, the article concludes by advocating the need for a separate horizontal legislation on cybersecurity for connected products. To avoid fragmentation of the EU's Single Market, a horizontal legal act should be based on the principles of the New Legislative Framework, with ex-ante and ex-post cybersecurity requirements for all IoT sectors and products categories.
KEYWORDS:
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 The pervasive and multi-device nature of IoT is increasingly leading to review the original acronym, as some prefers the term Internet of Everything (IoE); CISCO, ‘How does Cisco define the Internet of Everything, and how is it different from the “Internet of Things”?’ (2013), available at: https://www.cisco.com/c/dam/en_us/about/business-insights/docs/ioe-value-at-stake-public-sector-analysis-faq.pdf.
2 Regulation (EU) Citation2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
3 Regulation (EU) 2019/881, Article 2(1).
4 Regulation (EU) 2019/881, Article 68(4).
5 Article 4 of Regulation (EU) 2019/881 outlines the main objectives of the Agency, such as assisting Union institutions, bodies, offices, agencies as well as Member states in implementing EU policies on cybersecurity, supporting capacity-building and preparedness across the Union, promoting cooperation, including information-sharing and coordination at Union level, contributing to increasing cybersecurity capabilities and promoting the use of EU cybersecurity certification.
6 Article 5 of Regulation (EU) 2019/881 mainly refers to 3 strands of actions: assisting in the development, review, implementation of Union cybersecurity policy and law; contributing to the work of the Cooperation group; supporting the development and implementation of cybersecurity policy in Union legislation as well as the regular review of Union policy through an annual report on the state of the implementation of the respective legal framework.
7 Regulation (EU) 2019/881, recital 19.
8 Regulation (EU) 2019/881, Article 3(1).
9 Regulation (EU) 2019/881, recital 69.
10 Regulation (EU) 2019/881, Article 2(12).
11 Regulation (EU) 2019/881, Article 2(13).
12 Regulation (EU) 2019/881, recital 2.
13 Regulation (EU) 2019/881, recital 65.
14 Regulation (EU) 2019/881, Article 58.
15 Regulation (EU) 2019/881, Article 60.
16 Regulation (EU) 2019/881, Article 53.
17 Regulation (EU) 2019/881, Article 54(1); recital 84.
18 Regulation (EU) 2019/881, Article 51, letters (a) and (b).
19 Regulation (EU) 2019/881, Article 51, letter (c).
20 Regulation (EU) 2019/881, Article 51, letters (d) and (g).
21 Regulation (EU) 2019/881, Article 51, letters (e) and (f).
22 Regulation (EU) 2019/881, Article 51, letter (h).
23 Regulation (EU) 2019/881, Article 51, letter (i).
24 Regulation (EU) 2019/881, Article 51, letter (j).
25 Regulation (EU) 2016/679, Article 42(3): ‘the certification shall be voluntary and available via a process that is transparent’.
26 Regulation (EU) 2019/881, Article 56(2); recital 91.
27 Regulation (EU) 2019/881, recital 91.
28 Regulation (EU) 2019/881, recital 92.
29 See <https://www.enisa.europa.eu/topics/standards/adhoc_wg_calls/ad-hoc-working-group-on-5g-cybersecurity-certification> accessed 18 December 2021.
30 The New Legislative Framework aims at improving the internal market for goods and strengthens the conditions for placing a wide range of products on the market (CE marking), via a package of measures which improves market surveillance and boosts the quality of conformity assessments. These measures are: Regulation EU 765/2008; Decision 768/2008; Regulation EU 2019/1020. European Commission, ‘The “Blue Guide” on the Implementation of EU Products Rules 2016 (2016/C 272/01)’ [2016] Official Journal of the European Union, 9–10.
31 Directive Citation2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC Text with EEA relevance.
32 Directive 2014/53/EU, Article 2(1)(1).
33 Commission Delegated Regulation (EU) 2022/30 of 29.10.2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive.
34 RED delegated act, recital 9: ‘an attacker may maliciously flood the internet network to prevent legitimate network traffic, disrupt the connections between two radio products, thus preventing access to a service, prevent a particular person from accessing a service’.
35 Contra see Cezary Banasinski and Marcin Rojszczak, ‘Cybersecurity of Consumer Products against the Background of the EU Model of Cyberspace Protection’ (2021) 00 Journal of Cybersecurity 1, 7.
36 CJEU, Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland (2016); CJEU, Case C-434/16 Peter Nowak v Data Protection Commissioner (2017).
37 RED delegated act, Article 1(1).
38 RED delegated act, Article 1(2).
39 RED delegated act, Article 2(1).
40 RED delegated act, Article 2(2).
41 RED delegated act, recital 15.
42 MDR, Annex I, 14.2(d).
43 MDR, Annex I, 17.2
44 MDR, Annex I, 17.3.
45 MDR, Annex I, 17.4.
46 Proposal for a Regulation on General Product Safety, Article 7(h).
47 European Commission, ‘Commission Staff Working Document Impact Assessment accompanying the document Proposal for a Regulation of the European Parliament and of the Council on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council, and repealing Council Directive 87/357/EEC and Directive 2001/95/EC of the European Parliament and of the Council’ SWD(2021) 169 final, 10.
48 Directive Citation2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery.
49 European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on machinery products’ COM(2021) 202 final.
50 Essential Health and Safety Requirements (EHSR) in Annex III will be modified to address cybersecurity issue with an impact on safety: (i) EHSR 1.1.9: security by design of machinery products; (ii) EHSR 1.2.1: security by design of control systems.
51 Proposal for a Regulation on Machinery Products, article 2(2)(m).
52 NIS Directive, art. 5(2): the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of the service depends on network and information systems; and, incidents would have significant disruptive effects on the provision of the service.
53 NIS Directive, Annex III.
54 This has been justified by the direct link with physical infrastructure of the former compared to the cross-border nature of the latter (recital 57).
55 NIS Directive, recital 60; Article 17(1).
56 NIS Directive, art. 14; Mark D Cole and Sandra Schmitz, ‘The Interplay Between the NIS Directive and the GDPR in a Cybersecurity Threat Landscape’ (2020) SSRN Electronic Journal, 8: ‘[w]hile the national transposition of the NIS Directive repeat the general wording of the Directive, complementary guidance or regulations amending national law define the indefinite legal concepts further’.
57 European Commission, ‘Proposal for a Directive of the European Parliament and the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’ COM(2020) 823, 2.
58 NIS Directive, recital 50.
59 European Commission – Expert Group on Liability and New Technologies, ‘Liability for Artificial Intelligence and Other Emerging Digital Technologies’ (2019): the report, released at the end of November 2019, is the final deliverable of the Expert Group on liability and new technologies appointed by the European Commission in March 2018.
60 Proposal for NIS2, 6.
61 ibid, 6.
62 ibid, Article 2(1).
63 ibid, recital 9.
64 ibid, Article 2(2). Notably, article 5(2)(h) would mandate Member States to adopt, as part of the national cybersecurity strategy, a ‘policy addressing specific needs of SMEs, in particular those excluded from the scope of this Directive, in relation to guidance and support in improving their resilience to cybersecurity threats’.
65 Ibid, recital 7.
66 NACE Rev. 2 – Statistical classification of economic activities in the European Community, division 26, 69.
67 Proposal for NIS2, Article 6(1).
68 Draft European Parliament legislative resolution on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (COM(2020)0823 – C9-0422/2020 – 2020/0359(COD)), amendment 127.
69 id.
70 Proposal for NIS2, recital 28.
71 BDI, Position on ITRE-Amendments to NIS 2-Directive German industry's position on the ITRE Committee's amendments to the Commission proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) Citation2016/1148, 6.
72 See <https://www.startus-insights.com/innovators-guide/5-top-internet-of-things-startups-impacting-logistics-supply-chain/> accessed 21 October 2021.
73 The list includes risk analysis and information security policies, incident handling, use of cryptography and encryption, business continuity, testing and auditing procedures to assess the effectiveness of the cybersecurity measures.
74 See <https://www.enisa.europa.eu/news/enisa-news/going-full-throttle-on-cybersecurity-certification-and-market> accessed 3 December 2021.
75 RED delegated act, 5.