A draft bill to set up an EU system certifying the cybersecurity level of tech products is still trapped up in negotiations after the European Commission announced the overhaul last September.

The EU cybersecurity agency ENISA is already eyeing how it will define different security levels for a growing area of digital devices that companies are pushing onto the market as they develop more products in the so-called internet of things.

The agency is tasked with outlining how the new scheme will work and what items should be certified.

An ENISA expert on the internet of things spoke about the EU scheme at the Mobile World Congress in Barcelona, a large annual conference that finished on Thursday (1 March).

Fast internet networks were in the spotlight at the event, as operators outlined plans to introduce 5G mobile services. Telecoms companies and hardware manufacturers were quick to promote the new technology as a driver for the internet of things, driverless cars and artificial intelligence.

ENISA’s director Udo Helmbrecht suggested that the certification programme could make hardware one of its early targets. He said a secure SIM card or chip could add an extra safeguard to protect products like phones or cars from hackers.

“From a certification perspective, a regulation perspective, it would be a good idea to look into these kinds of hardware products, protocols, and think about how to do a certification scheme for these,” Helmbrecht told EURACTIV on the sidelines of the congress earlier this week.

“If you start in hardware from the beginning, you build on top of it. Everything is secure from the beginning,” he added.

Helmbrecht named the example of Germany’s requirement for smart energy meters to receive government-approved cybersecurity certification before going on sale.

“You can be sure a smart meter is secure and it works. Then everything you build on it has security by design,” he said.

EU cybersecurity chief: Now is the time to discuss liability

There needs to be more discussion about liability for cybersecurity attacks, Steve Purser, director of operators at the EU cybersecurity agency ENISA, told EURACTIV.com in an interview.

The congress in Barcelona showcased internet-connected features from a range of different industries, like entertainment systems in cars or smart city fixtures that monitor utility supplies.

Negotiators steering the certification bill through discussions will likely squabble over whether some products should fall under a mandatory certification scheme. The Commission proposal did not recommend such an obligation.

The law will only go into effect after it is agreed between the Commission, the European Parliament and national governments in three-way negotiations. Those talks have not yet started.

But the plan is controversial and has ruffled feathers in the tech industry and in national capitals.

Some member states have taken issue with the bill because it gives ENISA expanded powers to define how the certification scheme works.

Tech companies are wary of how different security levels will be categorised.

A spokesperson for IBM said, “What’s most important for certification is not what gets certified first, whether at hardware or software level, but to get the overall certification process right: ensure that requirements are clear and that the standards in place to meet these requirements.”

The Commission has argued that its proposal will help companies by giving them access to cheaper offers for certification that applies across the EU, since they will no longer need to have products approved separately to sell them in different member states.

In internet-connected products “most functionalities rely on software. Certification of that software is therefore a minimum requirement. Hardware certification, which can be costly, is desirable as well since an attacker can in many cases get physical access,” a spokesperson for Chinese equipment maker Huawei said.

The EU proposal gives the example of varied prices for certification of smart energy meters, which costs more than €1 million in Germany and €150,000 in France and the UK.

Some in the telecoms industry argue that the growth of the internet of things might also bring on new vulnerabilities because traditional manufacturers are not as experienced with creating secure digital products.

John Giusti, chief regulatory officer at GSMA, the trade body that organises the Mobile World Congress, said in an interview that the Commission’s proposal raises “a discussion that needs to happen”.

“You have a lot of people providing equipment who never used to provide connected equipment. They’re not as used to security safeguards like mobile operators and certain other providers would be,” Giusti said.

He added that it is “really important to make sure that we get the entire value chain aligned.”

In 2016, the Mirai botnet knocked out service for 900,000 Deutsche Telekom customers by infecting their internet routers.

Helmbrecht said that the vulnerability of those devices showed that the internet of things has opened up new cybersecurity risks, and mobile 5G connections are likely to raise even more concerns.

“These were IoT devices linked via LAN (local area network) into the internet and they were compromised because all of the simple things like patching were not possible. Passwords were not possible. It was open, it was not secured,” Helmbrecht said, referring to the 2016 attack.

“Now if you put a mobile connection into this, the risk surface just explodes. Why should it be better?” he said.

Next generation 5G technology is not yet available for commercial use, and EU member states want it up and running across the bloc by 2025. It is expected to provide much faster wireless speeds than 4G networks.

Europe in ‘terrible hurry’ as pressure mounts in global race for 5G

There will be growing pressure this week on European companies and politicians as they struggle to keep up with Asia and the United States on launching fast 5G mobile services.