On November 26, 2019, the Finnish Transport and Communications Agency, Traficom, launched a cybersecurity label that guarantees devices have basic information security features. This is the first of its kind, so regulators in the rest of the EU particularly should be keen to adopt similar measures. Collaboration between countries and creating a universal approach will be critical in ensuring effective defense against cyberattacks.
Since completing a cybersecurity assessment earlier this year, there has been a major push by EU member states to introduce a robust cybersecurity framework across the region, as well as nationally in individual countries. The information security of smart devices is a challenge that regulators face globally, and several initiatives have been launched to improve their security. However, Finland is the first country to start granting information security certificates to devices that pass the required tests.
The Finnish cybersecurity label, which was launched in November 2019, guarantees that devices have a basic level of security and can be awarded to networking smart devices that meet the certification criteria. Such a label should help to raise consumer awareness of information security and the safe use of connected devices. The first labels have already been awarded to a smart heating system, fitness smartwatch, and smart home products. To accompany the new label, the agency has launched a website that provides basic information about the label, and allows customers to find products that have been certified and awarded the cybersecurity label.
Research shows that consumers are showing greater interest and concern regarding the data security of their devices. One Finnish person in two is concerned about the cybersecurity of smart devices, while two in three find it very important to have easy-to-access information available on their device's security. Calls for greater IoT regulation have spread throughout the world as smart devices are becoming increasingly common in homes, so it is important that these devices have the right level of security and that customers are fully informed about their security features. While these labels serve as a clear sign to customers, they also work as an incentive for vendors to strive toward basic cybersecurity standards, as well as providing a universal approach. The security level of devices varies considerably in the market and until now there has been no easy way for consumers to know which products are safe.
IoT devices are not restricted by borders and neither is criminality in cyberspace, so it is important that a global approach is reached regarding cybersecurity, as individual countries cannot solve this independently. Cooperation will be required to effectively defend against cyberattacks. Governments already share information and resources to protect their own systems from malicious actors, but this should be extended to security standards of consumer products. Consumer protection regulation continues to be high on the regulatory agenda, so other regulators should pay close attention to this labeling process and work toward applying something similar in their own jurisdiction.
"Regulating cybersecurity of 5G networks: a key concern for the EU," GLB005-000148 (April 2019)
Sarah McBride, Analyst, Regulation