IoT vulnerability reporting obligations set to apply in EU from 2027

Politicians negotiating the European Union’s new Cyber Resilience Act for internet-connected products have reached a provisional agreement on the contested legislation, with vulnerability reporting obligations set to enter into force in 2027.

Proposed as a way to increase security standards for Internet of Things (IoT) devices, from smartphones to fridges — the details of the legislation have prompted concern, although the provisional text is not publicly available.

Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they’re connected to. In one often-cited case described by Darktrace, hackers were allegedly able to steal data from a casino’s otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank.

Bart Groothuis, the rapporteur negotiating the CRA on behalf of the European Parliament, previously told Recorded Future News he was “very worried” about some of its provisions.

One of Groothuis’ key concerns relates to a requirement for “any product which contains a microprocessor” to go through a “conformity assessment” — meaning the product would have to be certified by a third-party before becoming available — something which will increase production costs and delay product launches.

According to the broad description of the provisional agreement, the legislation now includes support measures for small and micro enterprises when it comes to these conformity assessment procedures. It also includes “a simpler methodology for the classification of digital products to be covered by the new regulation.”

Although the text of the provisional agreement has not been published, a source with knowledge of the process told Recorded Future News that alongside the technical conformity assessment, a non-technical assessment is also available, potentially providing the European Union with more leverage to exclude Chinese products from the single market.

Fears over creating a hacking target

As initially proposed, the legislation would ban companies from selling products that contained “any known exploitable vulnerabilities,” potentially obliging them to engage in expensive recalls while also forcing them to report significant incidents of active exploitation to ENISA, the EU’s cybersecurity agency.

Groothuis was concerned about that requirement. “I don't like them [ENISA] stockpiling critical vulnerabilities. It's a risk in itself for the safety and security of the internet because other agencies might want to go for that. It's a treasure,” he said.

Under the CRA, companies that fail to comply with their obligations to report actively exploited vulnerabilities could face administrative fines of up to €15 million (about $16.62 million), or 2.5% of their global turnover, whichever is higher. Supplying misleading information to national incident response teams could result in a fine of €5 million ($5.54 million), or 1% of global turnover, whichever is higher.

The European Council also pushed back on the central role initially suggested for ENISA, calling in its amended version of the legislation for manufacturers to instead disclose vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based.

The Council’s proposal has been adopted, although it is not clear whether the move will address some of the concerns about the agency stockpiling information about ongoing hacking activities. Instead of manufacturers reporting directly to ENISA — which is based in Greece and has just over 100 employees — they will simply report to the CSIRTs, which then will upload the report to a platform ENISA maintains and operates.

According to the source, the provisional agreement currently contains the possibility of a derogation from sharing vulnerabilities where doing so may be detrimental to safety.

ENISA has already been tasked with establishing and maintaining an EU Vulnerability database — similar to the CVE database run by MITRE — under a recent update to the Network and Information Security (NIS2) Directive, which went into force in January of this year. The agency is still establishing the policies and procedures around this database to ensure its security and integrity.

The proposed single reporting platform would be designed so that each incident response team can put in place their own “electronic notification end-points.” The design of the platform, including the security arrangements about it, would be established by the EU’s network of CSIRTs.

ENISA would have a duty to “notify without undue delay any security incident affecting the single reporting platform to the CSIRTs network.”

The provisional agreement also sets back even further the length of time it would take for these obligations to come into effect, setting it back by three years after the regulation enters into force "which should give manufacturers sufficient time to adapt to the new requirements."

The details of the provisional agreement are not public, although an unofficial version will be available in December. The final official version will be adopted next spring, suggesting the reporting obligation would begin to apply in 2027.