In addition, from 2024 onwards smart consumer electronics have to be tested for security vulnerabilities and must no longer be supplied with a weak default password. Updating the software should be as simple as possible. This also applies to managing, protecting and deleting personal data. And the supplier must have a responsible disclosure policy so that a security hole in the software can be reported responsibly. These minimum safety requirements are also laid down in the ETSI EN 303 645 standard.

“It is legislation that everyone has asked for and that everyone was waiting for,” Nijhuis says. According to the EVP Internet of Things, the cyber security of IoT devices is still something that is unfathomable to most users. “They simply have to trust that the smart thermostat, interactive doorbell or connected coffee maker is secure. There is no quality mark by which secure devices can be recognized. The new legislation will change that. Devices that do not meet the minimum security requirements are not eligible for CE marking.”

Security not built-in

According to Nijhuis, the new legislation is the right response to the popularity of the Internet of Things. The popularity of the IoT is rising at a phenomenal rate. There are already some 35 billion devices connected to the internet. That number is expected to rise to 125 billion in 2030. “We live and work in a cloud of IoT devices that collect and process data about our lives with the best of intentions. They make life easier, more fun or more sustainable.”

This spectacular growth also has a significant downside, however. The “building in” of security from the start is often forgotten when IoT devices are being developed. “IoT devices can collect highly sensitive personal data and provide insight into aspects such as someone's heart rate or current location,” says Erno Doorenspleet, CTO of KPN Security, “But without protective measures, privacy is at stake and serious cyber incidents can occur.”

So there’s a risk that cybercriminals will eavesdrop on conversations or peek into the bedroom via baby monitors, children's toys or smart TVs. An unsecured smart doorbell can give hackers access to the home network and the data that can be found there. With a copy of that data they can commit identity fraud. And unsecured IoT consumer electronics can be incorporated into a botnet such as Dark Nexus that enables criminal organizations to carry out DDoS attacks.

Kiwa and KPN help

The new legislation is therefore good news for the users of the IoT but, according to Doorenspleet, this does not mean that it is easy to comply with the legislation. “As KPN, we help manufacturers with this by means of certification and advice, by jointly developing a product, and by applying the security during development and not afterwards. In our state-of-the-art lab we can also test the security of a working prototype thoroughly to see whether the product complies with the ETSI EN 303 645 standard."

In the field of the certification of IoT consumer electronics KPN Security has entered into a cooperation agreement with Kiwa, which specializes in testing, inspection and certification. As part of this agreement, Kiwa accepts the test results of KPN Security's test lab for the purpose of issuing a product certificate. With this certificate the manufacturer can be sure that the product may be sold in Europe. For the consumer, the certificate is proof that the product is safe to use.

Making society as secure as possible

According to Nijhuis, Kiwa and KPN are logical partners. “Kiwa's slogan is 'we create trust around the world'. This dovetails seamlessly with KPN's values. Manufacturers of IoT consumer electronics can rely on the knowledge and experience that KPN IoT has gained in the business market. We are now working together to solve the social problem posed by insecure IoT products.”

“Security is in KPN’s DNA,” concludes Doorenspleet. “Consumers need to be confident that our services and products are safe to use. That’s why we invest a lot of time and money in cyber security. The knowledge we have gained from that is also included in our KPN Security Policy (KSP), which we use as a minimum standard for every new development. It contains our 'security rules'. We make the KSP available for use, free of charge. It’s our contribution to the transition to a digital society that is as secure as possible.”

Would you like to know more about the one-stop shop of Kiwa and KPN Security for the independent assessment, testing and certification of IoT consumer electronics? Check out Kiwa's special website.