The European Union on Tuesday moved closer to having new rules on cybersecurity certification and cooperation between countries, after the European parliament’s industry committee advanced a proposed Cybersecurity Act.

The committee, known as ITRE, overwhelmingly voted through a report that will set out the parliament’s negotiating stance on the law, if it is approved in a plenary vote after the summer recess.

That would open the way for talks with member states, and ultimately the introduction of the new regulation.

However, consumer groups are not happy with the text that’s going through. They say it leaves a major attack vector open, because it doesn’t introduce mandatory security certifications for connected consumer products, such as smartwatches and smart home devices.

The certifications in question would state that the product or service has no known vulnerabilities, complies with international standards and specifications, and can only be used by authorized people.

Parliament only wants mandatory certifications for tech products and services that present the highest security risks. These certifications are likely to include things like energy infrastructure, although the details still need to be thrashed out in negotiations.

And even there, parliament is the EU institution that wants the toughest rules. The European Commission and the Council of the EU, which represents the bloc’s member states, are keen on an entirely voluntary system.

According to European consumer organization BEUC, everyone is missing the severity of the threat posed by insecure connected devices of the more everyday variety.

“Connected products without proper security are popping up across our continent, paving the way for the next big cybersecurity crisis,” said BEUC director general Monique Goyens.

That’s why consumer groups have long been calling on European institutions to mandate cybersecurity requirements, such as security updates, strong passwords or encryption for smartwatches, connected cars, and smart fridges, she said.

“There are rules to make our cars safe. There are rules to make our food safe. But there are no rules to make connected products safe and secure,” Goyens added.

“It is very disappointing that the EU institutions still seem to underestimate the dimension of the problem and are unwilling to address it by mandating security by design and default.”

Meanwhile, the Computer & Communications Industry Association, a tech industry lobbying group, welcomed the approved report.

“We urge member states to support Parliament’s position on this matter in the final negotiations,” said CCIA senior manager Alexandre Roure.

BEUC is an umbrella body of consumer groups, with national members including Which? in the UK, and StiftungWarentest in Germany.

Several of these national watchdogs have come out with reports in the last year or two that demonstrate the risks associated with insecure connected products.

Which? identified flaws in connected toys that would let strangers talk to children, for example, while the Norwegian Consumer Council highlighted serious vulnerabilities in kids’ smartwatches that threaten users’ privacy.

Apart from these reports, the advent of botnets such as Mirai have demonstrated just how dangerous insecure connected devices can be, when dragooned into providing firepower for distributed denial-of-service (DDoS) attacks.

However, the failure of the Cybersecurity Act to address such issues may not be the end of the story.

BEUC communications chief Johannes Kleis suggested that there might be a way to introduce new cybersecurity requirements for connected products in the upcoming revision to rules for radio equipment.

And then there’s the Digital Content Contracts Directive, a piece of legislation that is currently being negotiated with the Council of the EU.

Although this directive is nominally about giving consumers better protections when buying digital content and services online, the European Parliament managed to make amendments that would have the law cover embedded software.

If these parts of the directive survive the law’s final negotiations, they would force retailers to at least tell customers about the security updates they should install when security flaws in connected devices come to light.

For now, though, the security of connected smart devices still falls into what BEUC describes as a “gaping hole in EU legislation”.

Source: ZDNet