Cyber-secure your products: much anticipated legislation is arriving for product safety in the EU

The European Union Commission has recently proposed revisions to the 20-year-old General Product Safety Directive (the GPSD), an important legislative regime covering product safety and consumer protection.

Whilst these revisions are of general importance in overhauling the regime on the whole (as discussed in our previous article, here), they are particularly important in respect of the developments in cybersecurity and privacy.

Specifically, software has become an integral part of smart devices meaning consumers are open to cyber-attacks that exploit vulnerabilities and can lead to the loss of personal data. The current definition of ‘product’ within the GPSD, however, lacks inclusion of the interconnectivity capabilities of products and software generally.

Legislative background in the UK and EU

While the proposed revisions represent major changes under the GPSD, the regulation of cybersecurity of products has been debated in the UK and EU for several years.

Examples of cybersecurity developments

  • Policy challenges of the Internet of Things (IoT) was examined at EU level in a 2008 Commission Staff Working Document which focused primarily on RFID (Radio Frequency Identification) technology which, in brief, is wireless technology using electronic magnetic frequencies to identify a person or object. A common example is contactless payment cards.
  • In 2018, the voluntary Code of Practice for Consumer IoT Security was published which set out 13 guidelines to be applied by manufacturers and other stakeholders to improve IT security of IoT products connected to the internet, home network and associated services (such as mobile apps, and cloud storage) for the protection of consumers’ privacy and safety. These guidelines are reflected in the European Standard EN 303 645 adopted in 2020.
  • In April 2021, the UK Government responded to a consultation proposing the regulation of cybersecurity for consumer smart products suggesting mandatory requirements for products sold in the UK. These include secure, unique passwords that cannot be reset to universal default passwords which are inherently unsecure.
  • For some time, cybersecurity and IT integrity has been considered in the context of medical devices. This is evidenced by the new EU medical devices legislative suite, including the Medical Devices Regulation (MDR), which requires software incorporated into a device to have ‘state of the art’ security. This was following the ‘Guidance on Cybersecurity for medical devices’ whitepaper dated December 2019.

It is clear that the recent decade has seen a greater move in the regulation and standardisation of IoT products, but a more rounded legislative regime covering cybersecurity for all other products is yet to be introduced in the EU. This has given rise to the revised GPSD which is intended to act as a safety net covering product safety requirements where they are not set out in other directives.

Proposed changes

The proposed amends to the GPSD regarding cybersecurity and privacy are as follows:

  • A new definition of ‘product’ which now covers items that are ‘interconnected or not to other items’ which is understood as a reference to IoT products.
  • The inclusion of free software updates for the consumer as a right of remedy where an economic operator recalls the product.
  • Accounting for the effect a product has when interconnected with another, and a product’s cybersecurity features that protect it from malicious third parties, when assessing the safety of a product.
  • The inclusion of a broad range of standards such European, international, opinions of recognised scientific bodies, and even reasonable consumer expectations to assist in assessing the safety of the product.

Checklist for companies to prepare

Companies should continue to monitor the progression of these proposed changes.

Whilst it is impossible to predict the final content of the revised GPSD, especially given previous EU product safety law amendments and drafting processes being notoriously long and convoluted, on assumption the final form of the law will resemble the current proposals, companies could consider the following preparatory actions from a cyber and privacy angle:

  • Ensure regular software updates are available to consumers particularly when security vulnerabilities are detected.
  • Require consumers to set up strong passwords upon first use of the product (and consider two-factor authentication for any applications that store particularly sensitive data), and avoid universal default passwords.
  • Ensure all parties in the supply chain are aware of, and are trained on, the obligations that will be imposed upon them.
  • Properly assess the safety of products both in isolation and when connected to other products.
  • Follow current European and/or national standards for assessing the cybersecurity of products.

Comment

Whilst the proposed amends tangentially touch upon software, privacy and cybersecurity issues, these are still not tackled explicitly or sufficiently. For this reason, there would likely be significant developments yet to come.

Nevertheless, the proposals will assist in filling the gaps left by other EU Directives on cybersecurity in products. This is particularly so in addressing the need for ensuring safety throughout a product’s lifetime in the form of software updates and the dynamic usage of products be they interconnected or not.

Following the government consultation and the success of the voluntary Code of Practice, it is expected that the UK will also adopt its own similar legislation when the current GPSD no longer applies.

Related items: