Alexander Botting
Former Director for Global Regulatory Cooperation


September 14, 2017


Yesterday, the European Commission unveiled a proposed regulation for a comprehensive set of measures to increase resilience and enhance cybersecurity preparedness. The proposed regulation contains a number of encouraging initiatives, including greater coordination across Member States in the implementation of the Network and Information Systems (NIS) Directive, new cyber education initiatives, and a drive for greater international cooperation. It also includes a permanent mandate for the European Union Agency for Network and Information Security (ENISA) as a centralized cybersecurity resource.

One area of concern is the proposal to launch standards, certification, and labelling requirements for connected devices that make up the Internet of Things (IoT). While the proposal rightly recommends a voluntary framework and accounts for different security needs of a diverse collection of devices, it could have unintended consequences which take us further from, not closer to, a cybersecure IoT.

With 20 billion connected devices anticipated by 2020, the IoT will change the daily lives of consumers by revolutionizing tasks ranging from purchasing products to driving cars to managing health issues. These innovations will bring huge benefits to consumers, but they also carry with them notable risks if not paired with levels of security appropriate to the information and activities at hand.

Companies, researchers, and governments continue to make significant investments in increasing the security of connected devices and have demonstrated tangible progress. But technological innovation can only take us so far because cybersecurity is not static. It is constantly evolving. A device that is considered secure on the day it is sold may not be secure thereafter, as new vulnerabilities are discovered. In short, security requires vigilance to stay one step ahead of those seeking to do harm.

While businesses have a role to play in identifying and providing solutions for vulnerabilities, consumers must also play their part by updating passwords and patching software. Trust labels can ultimately be counterproductive if they create a false sense of security among consumers. After all, if consumers buy devices labelled secure they will question the need to invest in additional security. Moreover, in the event of a high-profile breach, consumers may lose trust in all devices that carry a trust label. When it comes to cybersecurity, attempts to regulate or provide trust labels become outdated quickly.

From a trade perspective, even voluntary standards and certification requirements risk creating nontariff barriers to IoT devices and services. While the proposal’s guidance to “rely on international standards as a way to avoid creating trade barriers and ensure coherence with international initiatives” would help to limit this possibility, it doesn’t eliminate it.

As will be outlined in a forthcoming paper by the U.S. Chamber of Commerce and the law firm Wiley Rein, the development of global standards is the best way to promote common approaches and technology solutions to security. Regulatory responses are inadequate to keep pace with the evolution of the IoT.

It will take a sustained partnership between government and industry to provide the necessary investments in ongoing technological innovation, consumer education, and threat management. Consumers, meanwhile, must be responsible for implementing basic cyber hygiene, so that up to 90% of cyber breaches could be avoided.

IoT security is a global challenge requiring flexibility and international collaboration.

About the authors

Alexander Botting

Alex Botting is the former Director of the Center for Global Regulatory Cooperation (GRC).