IoT Consumer Labeling Goes Global – What This Means for Vendors and Consumers
This is shaping up as a big year in cybersecurity regulation in the internet of things (IoT). In January, two of the world’s biggest markets for connected devices, the European Union and the United States agreed on a “joint roadmap for a consumer labeling program.”
Cybersecurity labeling is therefore on the cusp of going global, posing big changes for device production and consumption. Let’s consider what this means for vendors and consumers on both sides of the Atlantic.
The Cyber Trust Mark Goes Global
As I’ve written previously for Security Boulevard, a lot is happening in EU IoT. The bloc is preparing to introduce the Cyber Resilience Act in the coming months. This world-first legislation will set minimum cybersecurity standards for connected devices and require products to stay up-to-date throughout their lifespan. As a result, by law, default passwords and unpatched devices will become a thing of the past in the EU.
This latest agreement with the U.S. will up the ante. Not only will products have to meet certain thresholds to be sold under the act, but they will also have to meet certain thresholds to receive a consumer seal of approval.
The consumer mark in connected devices and smart home products is an initiative spearheaded by the Biden administration to guide consumers on what does and doesn’t meet cybersecurity standards. Think of it like an anti-hacker Energy Star label. Later this year, this mark will give producers another set of cybersecurity targets to aim for and consumers an indication of what meets the grade.
What it Means for Consumers and Producers
The global expansion of the cybersecurity checkmark is good news for consumers. The average household in the U.S. now counts more than 16 devices and the stronger these devices, the stronger the attack surface. Conversely, the weaker these devices, the weaker the attack surface – a concern since video is taking over the sector and compromised endpoints could give hackers a direct line of vision into the home.
Likewise, most consumers don’t actively think about cybersecurity when purchasing the latest smart vacuum or video doorbell. Introducing a recognizable seal across different markets will help point consumers in the right direction.
It must be said that the checkmark is also good news for producers. Why? No serious company makes devices with default passwords or abandons software patches for active product lines. This checkmark points consumers toward better device makers and away from subpar producers. Ultimately, this will improve the IoT market.
The best advice for producers is to prepare for the Cyber Resilience Act and consumer checkmark concurrently. Comprehend the relevant rules, consult legal and technological experts and evaluate your cybersecurity procedures. Subsequently, allocate sufficient time for troubleshooting and upgrading.
Of course, attaining the consumer checkmark is optional for EU and U.S. producers. But doing so is likely to help the bottom line. In the U.S., for example, more than three-quarters of consumers (78%) who bought products with the Energy Star label said the label was “influential” in their purchasing decision. More than half (52%) said it was “very influential”. Receiving the checkmark could therefore offer an important competitive edge.
Europe: The World’s Strictest IoT Market
It’s worth considering that, with two sets of landmark connected device protections on the way, the EU is about to be the world’s strictest market for IoT. In my view, this is a positive and overdue change.
The smart home and office have taken on added importance post-pandemic and consumers deserve security assurances. The EU has even said the bloc is only as strong as its weakest link. Allowing hundreds of millions of connected products without security obligations is no longer acceptable.
It will be interesting to see what’s next for the U.S. If the EU adopted its cybersecurity consumer mark, would the U.S. consider introducing its Cyber Resilience Act? Time will tell. Major tech regulation is always a tall order stateside, however, a top-down ruling that sets cybersecurity minimums with hefty fines could prove even more successful than a consumer checkmark alone.
Whatever happens, it’s good to see IoT getting the legislative attention and consumer protection it deserves. Dodgy devices and bad actors have flown under the radar for too long. It’s encouraging that governments on both sides of the Atlantic are changing the cybersecurity status quo for the better.
