23. February 2018

VdTÜV position on the regulation proposal for a European “Cybersecurity Act”

As part of the 2017 cybersecurity strategy, the European Commission (EC) published a regulation proposal for the “EU Cybersecurity Agency” and the “Cybersecurity Act” in September 2017. VdTÜV welcomes the objective the EC is pursuing with this legislative initiative: Strengthening trust in the security of products and ensuring a higher level of cybersecurity through a consistent framework for the certification of IoT products.

A continuous series of new security incidents clearly demonstrates that the security of Internet-based products must be guaranteed across the entire product lifecycle and the entire ecosystem. Highly innovative products such as medical devices or connected vehicles, but also simple products such as electric kettles increasingly feature integrated software and use individual IP addresses. Due to updates and expanded functionality, which are no longer solely contained within the product, but also in the “backend” or the product network, the definition of products and the concept of product safety are changing. Thus, the functional safety of a product is increasingly contingent on its information security.

The risk for the user of falling victim to  cyberattacks is increasing. Sensitive – and often personal – data can be manipulated, exposed, or destroyed. This applies in particular to critical infrastructure, i.e. neuralgic systems such as power and water supplies. Integrity, confidentiality, availability, and the interplay of “safety”, “security”, and “privacy” of digital systems are essential requirements for the acceptance of digital social trends, making them the backbone of innovation and economic growth. It is paramount for innovations to be implemented securely to become progress.

A consistent certification framework can significantly contribute to ensuring that products and services are already secure before market entry and remain resilient throughout their entire lifecycle. Nevertheless, the present regulation proposal does not adequately take the long-term significance of secure internet-capable devices into account with regard to future societal developments and therefore requires substantial recalibration.

The full paper is available for download here.

VdTÜV Verband der TÜV e.V.
Presse- und Öffentlichkeitsarbeit
Friedrichstraße 136 | D-10117 Berlin