This is the third in a series on the subject of legally mandated security. Sometimes, people think about legally mandated security as being primarily about privacy. While privacy is included in the scope, the subject is much bigger than that.

Below, I explore significant developments in the realm of cybersecurity and data protection – the U.S. Cyber Trust Mark and the proposed European Union Data Act.

U.S. Cyber Trust Mark

What a terrific idea!

The United States recently established the U.S. Cyber Trust Mark to protect consumers and businesses through a certification and labelling program for connected digital devices. Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung got on board with the idea right away, recognizing that anything that will make it easier for a buyer to purchase with confidence in the security of a device or technology is a good thing.

Unsurprisingly, the certification process follows NIST (U.S. National Institute of Standards & Technology) standards. The idea is that, if a product contains the U.S. Cyber Trust Mark, it can be regarded as safe. Each certified product will have a QR code link to a national registry of certified safe devices, so that its provenance can be verified.

Some of the work is ongoing, of course. For example, NIST is currently defining the security profile for consumer level Wi-Fi routers, and the U.S. Department of Energy is developing labelling requirements for smart meters, power inverters and the like.

The U.S. Cyber Trust Mark should make it much easier for persons who are not experts in the procurement of digital/IT products to purchase those products with confidence in their relative cybersafety.

European Union Data Act

As in other jurisdictions, the European Union (EU) has long recognized that the Internet of Things (IoT) provides a huge "surface" for the incursion of bad actors into private networks. For example, it might surprise you to know that your internet-connected refrigerator or washer/dryer is not inherently secure. If it is interacting with your home Wi-Fi system, it might be possible for spyware or other malicious code to find its way into your home devices via those appliances.

The quandary that the EU is attempting to solve through the Data Act (the "Act") is the balance between the right of consumers to keep their information private and the reasonable use of that data by commercial entities. The Act takes effect in September 2025, which gives industry players some lead time to become compliant. The regulator is the European Union Agency for Cybersecurity (ENISA).

The legislative intent of the Act is to facilitate orderly and lawful access to data generated in the IoT, while at the same time discouraging its use by commercial interests seeking to compete with one another. Under the Act, a data contributor can request access to data and direct data to a third party (which cannot be "BigTech"). The data have to be available "by design" to small/medium enterprises and government bodies.

If the Data Act is successful – which is regarded as doubtful in some quarters – then it will:

  • Lower prices for aftermarket services and repair of smart devices.
  • Enable services that rely on access to IoT data.
  • Provide effective access to data collected by IoT devices – but still keep it in Europe.
  • Enable governments to access and use data generated in the private sector for response to public emergencies.
  • Protect EU businesses from unfair contractual terms in data-sharing contracts.
  • Promote easy switching between cloud providers and grant a 30-day termination right with cloud providers.

Certain elements of the implementation of the Act are still to be fleshed out, including specific safeguards against international transfers of IOT data, development of interoperability standards, operation of dispute settlement bodies, and the design of a certification mark (probably something like the U.S. Cyber Trust Mark).

Conclusion

The introduction of the U.S. Cyber Trust Mark and the EU's Data Act signify significant strides in enhancing cybersecurity and data protection for consumers and businesses alike, underscoring a collective commitment to bolstering cybersafety and data integrity in an increasingly interconnected world.

I had promised, for this blog, an overview of the proposed E.U. Artificial Intelligence Actand a look at NIST's ideas on artificial intelligence. However, I'm moving those topics ahead to my next article, because there's simply too much to write on the subject. Please look out for the next blog in a week or so.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.