In December 2020, the European Council approved conclusions that acknowledge the increased use of consumer products and industrial devices connected to the internet and the related risks for privacy, information security and cybersecurity.
It believes connected devices, including machines, sensors and networks that make up the Internet of Things (IoT), will play a key role in further shaping Europe’s digital future.
The conclusions set out priorities to address this crucial issue and to boost the global competitiveness of the EU’s IoT industry by ensuring the highest standards of resilience, safety and security.
They also underline the importance of assessing the need for horizontal legislation in the long term to address all relevant aspects of the cybersecurity of connected devices, such as availability, integrity and confidentiality. This would include specifying the necessary conditions for placement on the market.
Some of the conclusions reached are:
- That the European Union and its Member States need to ensure their digital sovereignty and strategic autonomy, while preserving an open economy.
- That in addition to ensuring a high level of security of connected devices, it is equally important to increase consumer awareness of their potential privacy and security risks.
- That there is a need to establish cybersecurity norms, standards or technical specifications for connected devices and efforts undertaken by European Standards Organisations in this matter should be strengthened.
- That cybersecurity and privacy must be an essential part of product innovation, production and development processes, including the design phase, and must be guaranteed throughout a product’s entire life cycle and across its supply chain.
Lastly, cybersecurity certification, as defined under the Cybersecurity Act, will be essential for raising the level of security within the digital single market. The EU Agency for Cybersecurity, ENISA , is already working on cybersecurity certification schemes, and the conclusions invite the Commission to consider a request for candidate cybersecurity certification schemes for connected devices and related services.