2022 Updates: Global Cybersecurity & Data Privacy Frameworks

In 2016, leaders of the G7 came together to discuss the implementation of cybersecurity and data privacy frameworks.  Due to the rapidly growing digital economy, collective discussions culminated in the release of the G7 Ise-Shima Leaders’ Declaration.

As bad actors become more sophisticated, new cybersecurity and data privacy frameworks have been introduced. In this article, we take a retrospective look at some of the latest cybersecurity strategies introduced in 2022.

EU: Introduction of the Cyber Resilience Act

The EU has been the strongest proponent of cybersecurity and data privacy regulations

As of 15 September 2022, the EU Commission announced the Cyber Resilience Act (‘Act’). This is a part of the broader 2020 EU Cybersecurity Strategy and a complement to the existing NIS and NIS2 Directives.

The Act augments current security practices for critical digital products, including IoT devices and associated services.   

Two main categories of critical digital products are defined by their cybersecurity risk level:  

  1. The first includes password managers, network configuration systems, modems, routers, microprocessors, industrial IoT applications, and more.  
  2. The second encompasses operating systems for servers and consumer devices, smart meters, cyptoprocessors, and more.  

These regulations impose obligations at every stage of the value chain. Manufacturers, distributers and even importers must adhere to these standards to obtain approval for sale within the EU. These protections extend throughout the entire lifecycle of a product.  

Among the many elements in the Act, the regulations primarily lay out:  

  • Guidelines for the design, development and production of digital products;
  • Vulnerability handling requirements over the product’s lifespan;
    • Conducting regular reviews of the security of the product; or
    • Enforcing a policy on disclosure of breaches
  • Surveillance and enforcement of rules and requirements which includes preventing the sale or banning of products with known vulnerabilities

Those who fail to comply face minimal financial penalties of €5M or 1% of the previous year’s worldwide annual revenue. These can scale up to a maximum of €15M or 2.5% of the previous year’s worldwide annual revenue. 

UK: Electric Vehicle Regulations & Data Security

EV chargers are going to come under more intense scrutiny

On 30 June 2022, the Electric Vehicles (Smart Charge Points) Regulations took effect in the UK. These are applicable to public EV charge points, but privately owned EV chargers in homes and office spaces as well.   

The provisions state that all EV charge points must be enabled with “smart” functionality, requiring them to:  

  • Measure, record and transmit electricity usage for energy suppliers and users;
    • Giving users the option to charge their EVs at off-peak times
  • Remotely operate charge points; and  
  • Ensure supplier interoperability for charging points to work with any electricity supplier

Any EV charge points installed or sold from 30 December 2022 must adhere to these standards:  

  • Charger specific unique passwords and credential management;
  • Cryptographic measures and updates to protect against potential cyberattacks;  
  • Encrypted communications between chargers and servers; and  
  • Secure software updates and patches, including timestamped security logs to detect intrusions and notify charger owner

These industry specific regulations complement the existing Product Security and Telecommunications Infrastructure (PTSI) bill which sets similar provisions for digital consumer products sold and operated in the UK.  

Ensuring that devices that process personal data comply with GDPR. Alongside secure credential storage, minimizing access points for bad actors, validating input data via secure APIs.

US: Revisions to NIST’s Cybersecurity Framework

NIST 2.0 is expected to be introduced in Q3 of 2024

Across the Atlantic, the National Institute of Standards and Technology (NIST) Cybersecurity Framework began their revision process for the NIST Cybersecurity Framework 2.0 in August 2022. This framework remains one of the most widely adopted security frameworks across all US industries.

Working in tandem with the US Cybersecurity & Infrastructure Security Agency, NIST Framework offers guidance for organizations looking to better manage and improve their cybersecurity resilience.  

Key considerations set forth in the NIST Cybersecurity framework includes ways to identify, protect, detect, respond and recover from a cybersecurity breach including:  

  • Current risk management practices;
  • Threat environment ;
  • Legal and regulatory requirements; and  
  • Information sharing practices

The NIST Cybersecurity Framework has quickly become one of the most widely recognized cybersecurity safety standards across all industries. Global governments and private stakeholders alike have adopted approaches that are compatible with the framework established by NIST to avoid confusion, or even conflicting security expectations in the global business environment.  

Canada: Digital Charter Implementation Act

The Digital Charter Implementation Act will consolidate cybersecurity and data privacy acts under one unbrella

In June 2022, the Government of Canada tabled Bill C-27 – the Digital Charter Implementation Act – to establish the highest levels of data privacy for consumers, and ensure companies are acting responsibly with regards to data collection and usage.   

The Act will encompass three proposed frameworks:

  1. The Consumer Privacy Protection Act;
  2. The Artificial Intelligence and Data Act; and
  3. The Personal Information and Data Protection Tribunal Act

Separately, these frameworks have provided important protections. Yet the Canadian government intends to broaden its approach to ensure data privacy and trust is maintained in a rapidly evolving ecosystem.  

Key foundational provisions that these acts share include:  

  • Increased transparency over information collection, sharing and removal processes by organizations;
  • Prohibitions and penalties regarding non compliancy or harm arising from reckless deployments;
    • Including fines of up to 5% of global revenue or $25 million, whichever is greater; and  
  • Extending the authority of government bodies for enhanced monitoring and enforcement
Final thoughts

These requirements echo current globally applicable standards of cyber security – ETSI EN 303 645.

ETSI 303 645 established a cybersecurity baseline for manufacturers to ensure cybersecurity is incorporated into IoT products from the point of design. The standard is based on 13 high-level recommendations, used to establish 68 provisions, 33 mandatory requirements and 35 recommendations.

Keeping up with current and upcoming cybersecurity requirements can be difficult. Why wait? Our industry experts are here to provide guidance at every step of your IoT development.

We can help you implemented important cybersecurity measures across the value chain to maintain your reputation as a trusted provider.   

To learn more about the global cybersecurity landscape, feel free to check out this webinar with mobile phone and IoT security expert, David Rogers, here.

Comments are closed.