2021

Regulating the Security

of Consumer Internet of
Things Devices in the
EU
CYBER LAW ASSIGNMENT 1
LISA MCDOWELL - S2236044
Introduction – Security of IoT
Many of the devices that we use day to day are connected to the internet either directly or indirectly. These
devices are a part of what is called the Internet of Things (IoT). Fitness trackers, smart TVs, and other
things are becoming increasingly popular with consumers as they add functionality and convenience. It is
however often overlooked that these devices are riddled with security flaws which can allow someone with
the necessary technical knowledge to gain control over the device and use it for malicious intent either
directly against the owner or for an attack on a larger scale such as the Mirai Botnet attack1. While this
issue is not being completely ignored, this paper will argue that a more encompassing regulatory framework
should be developed to encourage the proliferation of secure IoT devices.
The first section will explore the issues that the lack of IoT security creates and the second part will discuss
the current EU regulatory framework that by applying Lawrence Lessig’s Modalities of Regulation. The
third section will list the challenges that exist for trying to regulate security and the IoT. The fourth section
will look at the potential to expand on this existing framework to address the issue of security in a more
effective way. Lastly, I will round off this paper with a conclusion.

Current Regulatory Framework

This section will explore the current existing regulatory framework for security in IoT devices. It will apply
Lawrence Lessig’s four modalities of behaviour regulation4 to give a complete overview of the current
regulation that encourages the dissemination of secure IoT devices.
Lessig’s four modalities are law, social norms, market, and architecture. Law regulates by sanctions ex post
if rules are not obeyed. Social norms are rules about behaviour that are enforced by the community. The
market regulates through price while architecture are the constraints posed by the world as it is found.
These four modalities operate together to modify the behaviour of an individual and will be addressed by
order of relevance here.
Architecture (Code)
Most technical standards that are essentially mandatory to ensure device interoperability do not consider
security5. Many security standards, such as encryption, address security at a technical or code level as this
is the only way to prevent a device from being taken over by a malicious attack6, however encouraging the
implementation of standards by the market requires other modalities. As such, these standards will be
considered under market, as especially future certification presents a potential constraint on the devices
on the market. The complete technical function of these standards will not be considered in depth here
as that would require a complete paper on its own and has been done before7.

1
Brass, I. & Sowell, J.H., ‘Adaptive governance for the Internet of Things: Coping with emerging security crisis’
(2021) 15, Regulation & Governance <https://doi.org/10.1111/rego.12343> accessed 02 December 2021
4
Lessig, L. ‘The New Chicago School’ (1998) 27 (2), The Journal of Legal Studies https://doi.org/10.1086/468039>
accessed 02 December 2021
5
ENISA, ‘IoT security standards gap analysis: Mapping of existing standards against requirement in security and
privacy in the area of IoT’ (2018) < https://www.enisa.europa.eu/publications/iot-security-standards-gap-analysis>
accessed 02 December 2021
6
Youm, H. Y., ‘An overview of security and privacy issues for Internet of Things’ (2017) 100(8), IEICE TRANS.
INF. & SYST. <https://www.jstage.jst.go.jp/article/transinf/E100.D/8/E100.D_2016ICI0001/_pdf> accessed 02
December 2021
7
Ibid.
1
Law
According to the European Convention on Human Rights8 and the EU Charter9, respect for one’s private
& family life, home and communications is seen are a universal right. In addition, Article 8 of the EU
Charter lays down the fundamental right to data protection.
GDPR
The General Data Protection Regulation10 regulates the protection of data and as such also addresses the
security of data.
Article 24&25 give data controllers the responsibility to implement the appropriate technical and
organisational measures to ensure they are following the regulation and have the obligation to ensure
privacy by design and by default . This means that by default they may only collect the minimum necessary
data and they must ensure that the data cannot just be accessed by anyone. Article 32 states that measures
that ensure a security level appropriate to the risk, including risk of unauthorized disclosure, should be
implemented.
e-Privacy Directive
The e-Privacy Directive11 in its current form is not very powerful. As such this paper will consider the new
proposed version12 instead. Article 5 simply states that all communication data shall be confidential and
any interference except by the end-user is prohibited unless expressively allowed. The use of terminal
equipment such as IoT devices by anyone except for the end-user is generally prohibited under Article 8.
Article 17 gives service providers the obligation to remedy any new security risks or inform end-users of
the measures they must take themselves.
According to these laws, a breach of an IoT device is illegal and the data controllers (in this case the device
manufactures) can be held liable for it, if it was known security vulnerability.
Market
The market is riddled with non-mandatory security standards such as standards by various organizations13.
These are not necessary for device interoperability and are not legally required, however could increase
consumer trust in devices14. The European Union Agency for Cybersecurity (ENISA) is working with
various stakeholders to create an EU wide standardisation and certification scheme which in the future
will provide a harmonised framework for security standards and allow for an easy comparison of security
specifications15.

8
European Convention on Human Rights as amended by Protocols Nos. 11, 14 and 15 supplemented by Protocols
Nos. 1, 4, 6, 7, 12, 13 and 16 [1950], art 8
9
Charter of Fundamental Right of the European Union [2000] 2000/C 364/01), art 7
10
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 127
11
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications) [2002] OJ L 201
12
Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and
the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on
Privacy and Electronic Communications) [2017] 2017/0003(COD)
13
Youm
14
ENISA
15
Ibid.
2
Social Norms
Consumers desire to keep their data safe especially from malicious intent. It is questionable though how
strong this desire is considering the number of insecure devices currently on the market. Furthermore,
there are many challenges to the security of the IoT that will be addressed below.

Challenges
Law
The existing law largely addresses security from a privacy standpoint. While consumers technically have
the right to hold a company liable for a breach, few do. Often production companies come from Asia,
which can make it hard for the law to effectively reach them. In addition, the quickly evolving nature of
the IoT makes it hard for traditional legal processes to keep up16. These factors lead to an existing, but
ineffective legal framework.
Market
Capitalist market dynamics work against trying to regulate security in IoT devices, because security is
expensive17. Any regulation could make it hard for small companies to enter the market and in turn stifle
innovation. In addition, the companies who are developing these devices are not cyber security companies
which makes it harder for them to ensure proper safeguards on their devices18. As such a proper balance
between regulating security while not stifling innovation needs to be struck.
Social Norms
While many say that they are concerned about the security of their devices and networks, few are willing
to put in the effort to ensure it19. Smart devices are used for their functionality or their convenience, not
because they are secure. If a user must manually install updates, then there is a decent chance that it either
will not happen or happen too late, leaving a security risk in place20. This leaves little space for social
pressure to drive increased security.
With the current standards market, devices can conform to many standards and yet still not be secure, as
certain vulnerabilities can slip through the gaps21. This makes it impossible for consumers to tell which
devices are secure. The average consumer does not have the knowledge to be able to tell the difference22.
Architecture
This lack of technical knowledge leads to problems. For example, a group of technicians installed a set of
smart lights but took the complete network of the house down because the gateway was not configured
correctly. It required network engineer to figure it out23. This type of knowledge cannot be expected from
the average consumer and leads to security risks.
There are many technical challenges to securing IoT devices. For example, the resources such as memory
and processing power on an IoT device are limited24. This can make it hard to run traditional security

16
Youm
17
IEEE, 'Should the Government Regulate Iot Devices?' (IEEE Innovation at Work, 2021)
<https://innovationatwork.ieee.org/should-government-regulate-iot/> accessed 2 December 2021
18
Peppet, S.R., 'Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security
and Consent' (2014) 93 Tex L Rev 85
19
Ibid.
20
Youm
21
ENISA
22
Sembhi S, 'The Impact of Iot Security for Consumer Devices' (IFSEC Global | Security and Fire News and
Resources, 2021) <https://www.ifsecglobal.com/cyber-security/the-impact-of-iot-security-for-consumer-devices/>
accessed 2 December 2021
23
Anonymous, Lights Story (Personal Communication, 2021)
24
Youm
3
measures such as encryption or firewalling on the devices themselves, making them and their data streams
vulnerable25. However, there are solutions to many of these issues26, but going in depth into them would
be beyond the scope of this paper.

Suggestions
The main suggestion is to implement a mandatory certification scheme for all IoT devices in Europe,
issued by ENISA. This should build and expand on ENISAs current framework for certification27. It
should not be one size fits all but should be developed with different levels depending on the risk and
should take a wholistic approach to devices and networks as whole28. A grading system can be used to show
different levels.
Law
It should be legally required for any IoT device sold in the EU to have an EU cybersecurity certificate. In
addition, the liability of producers of these devices should be increased by defining a minimum threshold
for security by design by law (see architecture). As such the law should only regulate the minimum
requirements using recommendations by ENISA. The higher levels should be set by ENISA in
collaboration with the industry (see market).
Social
This certification scheme should be designed to increase user awareness about the problem of security.
This should hopefully create larger social pressure to increase the security of things because users can
understand what they are buying immediately. In addition, security concerned users should be more
willing to pay for the additional security when they understand what they are getting.
Market
By legally only setting the minimum requirement, this minimises the impact on innovation. In addition,
government should introduce subsidies to help small companies with good ideas afford the security they
require to enter the market. Especially the higher grades of security should be set in collaboration with the
industry and ENISA should continue their work on interconnecting actors and increasing the speed of
certification and standardization.
Architecture
Security by design should be encouraged in the minimum requirements. For example, complicated
configuration should be avoided as much as possible. In addition, the devices and the networks they are
connected to should be considered as a whole. For example, while encryption can secure the data stream
stemming from the device, it does not necessarily protect the device or the connected network from
malicious breach.

Conclusion
The existing framework of regulation around securing the IoT is inadequate and was largely designed to
address privacy, not security. While these spheres overlap, it does not create an adequate framework. The
speed of the developing industry and the specific expertise require to maintain such a framework means
that the day-to-day brute work should be done in a more flexible environment than traditional law. ENISA
offers the perfect grounds for the maintenance of a certification scheme that is reinforced by European
law. Their flexibility and industry contacts will allow them stay on top current developments while having
the legal backing required to enforce minimum standards. Consumers are protected and encouraged to

25
Youm
26
Youm
27
ENISA
28
ENISA
4
invest in the security of their devices while not requiring extensive technical knowledge. The suggested
framework should aid in the proliferation of secure IoT devices.
While this approach does not solve all problems, it should be a step in the correct direction. Completely
defending against cyberattacks will be impossible, but the flexibility in the setup should allow for relative
resilience against the problem while setting up mechanisms for future development.