Commission plans cybersecurity rules for internet-connected machines

The European Commission is drafting new cybersecurity rules specifically for machines. In this case a "smart" refrigerator. [Wikimedia]

The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.

A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions.

But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vulnerable to attacks from hackers.

EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy.

“That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,” Thibault Kleiner, Oettinger’s deputy head of cabinet, said  at a Brussels conference yesterday evening (4 October).

Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure.

Firms from a range of industries, including energy, automotive and healthcare, joined a platform on the internet of things that the Commission set up last year as part of its efforts to push companies to embrace industrial use of the internet. Big companies like Cisco, Bosch, Nokia and Philips are part of the group, along with several telecoms operators.

How Oettinger surprised Brussels

Günther Oettinger has faced ridicule for his handling of EU tech policy since he took the job two years ago. But the digital Commissioner is finally getting some credit, and winning praise from some corners for a major overhaul of telecoms law.

There are currently around 6 billion internet-connected devices in use worldwide, and that figure is predicted to soar to over 20 billion by 2020, according to research by consultancy Gartner.

The internet of things is a catchphrase that has caught on with Brussels legislators and lobbyists, who use it to describe devices that haven’t used internet connection up until now—but will in the future, like connected cars that predict traffic or calculate ways to save fuel, or refrigerators that alert a person when they’re running out of food.

The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings: Kleiner pointed to that as “something I’d apply to the internet of things”.

Some hardware manufacturers are sceptical of the Commission’s plans to require certification for different parts of internet-connected devices and instead want hardware like SIM cards to be approved as security guarantees that can be used with appliances, Kleiner acknowledged.

New Commission proposals in November

The Commission is about to make a set of new announcements in November that will ruffle feathers in industries that want to turn using and selling consumers’ personal data into a new business model.

Those rules will affect how companies can access consumers’ data and what kind of contracts they can have to sell that information to partnering firms. Car companies have warned against contract rules that could force them to lose control over the personal data that drivers produce in vehicles. Tech companies and internet operators that provide services like in-car entertainment could dominate in a more digital car industry, car manufacturers fear.

Kleiner said EU officials crafting the new laws are still considering how they’ll define data. Hard-fought, four-year-long negotiations over EU data protection rules that are set to go into effect in 2018 taught lawmakers that “it’s not about data as something you monetise, it’s about dignity, something that’s personal to an individual,” he said.

“It’s completely different from taking about data as something that can be monetised, accessed and shared to create business opportunities.”

Carmakers fear EU plans to ease data flows will help tech rivals

European car manufacturers are seeking full control over the data sent to them by connected vehicles they put on the road, and fear a move by Brussels that would impose sharing that data with rivals.

Read more with Euractiv

Subscribe now to our newsletter EU Elections Decoded

The internet of things is a phrase used to describe the next step towards the digitisation of society and economy, where objects and people are interconnected through communication networks and report about their status and/or the surrounding environment. Devices and machines that haven't typically used internet connections are increasingly being made with some internet functions, like cars that rely on traffic sensors.

According to a recent European Commission study, the market value of connecting devices in the EU is expected to exceed one trillion euros in 2020, compared to 307 billion in 2013. The number of connections within the EU28 will increase from approximately 1.8 billion in 2013 (the base year) to almost six billion in 2020.

The study found investment programs or initiatives in this field in 13 member states. Germany, Netherlands, Sweden and the United Kingdom appear to lead in terms of capability (investment growth, ICT diffusion, Government support) and other initiatives related to the Internet of Things.

Subscribe to our newsletters

Subscribe