UL is lending its market insight and cybersecurity expertise to the development of legislation set to consolidate standards in the European Union.
The global Internet of Things (IoT) market is projected to surpass the $1 trillion mark by 2020, according to the International Data Corporation (IDC). Also soaring is the potential for cyber threats that stem from the increasing reliance on connected technologies. In fact, according to a 2018 McAfee report, the global cost of cybercrime has now reached as much as $600 billion — about 0.8 percent of the global GDP.
As individuals, companies and entire economies increase their dependence on connected technologies, helping to ensure the security of IoT innovations is critically important in both established and emerging markets.
“There’s quite a range when it comes to players in the cybersecurity landscape, especially in Europe, where some countries have stronger measures than others,” said UL’s Alexander Koehler, a business development manager for cybersecurity based in Frankfurt, Germany.
The Europe Union (EU) is comprised of 28 different countries, each with its own unique history, economic maturity level and approach to cybersecurity. For IoT device manufacturers navigating this inconsistent marketplace, it has become increasingly tougher to do business throughout the entire EU given how many different requirements they face from one country to the next.
“For many years, European companies have expressed a desire for a consolidation in requirements, or to have no barriers across the European market,” said Koehler. “This drove the European Commission to begin development of a more formalized single cybersecurity framework that can reinforce the region’s prevention, response and resilience to cyberattacks.”
In their own words, the European Commission noted that “a failure to protect the devices which will control our power grids, cars and transport networks, factories, finances, hospitals and homes could have devastating consequences and cause huge damage to consumer trust in emerging technologies.”
Proposed in 2017 and expected to pass this year, a new “Cybersecurity Act” will include the development of the first voluntary Information and Communication Technology cybersecurity certification framework for IoT products in the EU region. The legislation also aims to strengthen the European Union Agency for Network Information Security (ENISA), carving out a role for the agency in the certification process, and expanding beyond its traditional role of providing expert advice to include performing operational tasks.
Industry associations, policymakers and member countries now have the bill under review. UL has maintained a seat at the table for those discussions, helping to provide a view of the market driven by its experience in cybersecurity risk management and Standards development as well as perspective gained from its global reach. For example, UL has introduced its Standard, “UL 2900-1 Ed. 1 2017, Standard for Software Cybersecurity Network-Connectable Products, Part I: General Requirements,” into the conversation as an applicable example of how the European Commission might structure a cybersecurity framework for the EU. European businesses have begun testing products against UL’s voluntary Standard, and the European Commission mentioned it as a solution for consideration in a September 2017 impact assessment that accompanied the original legislative proposal.
For the past 20 years, UL has served as a partner to companies in Europe across a number of industries, such as financial services, advising them on how best to navigate cybersecurity risks in addition to conducting a range of safety testing on their products.
“With the EU landscape likely to change yet again with the Cybersecurity Act legislation, we will provide companies a migration path to help them more easily navigate any new standards and adopt new risk protocols,” Koehler said. “Given the constant flow of products entering the market and a business environment reliant upon global supply chains, time is of the essence to take the EU to the next level of cybersecurity.”