MEP calls for 'clear and mandatory baseline IT security requirements' for devices

Jan Philipp Albrecht said that the European Union Agency for Network and Information Security (ENISA) should be tasked with producing the requirements, in consultation with industry, and that the European Commission should have the power to stipulate those requirements in EU law if it decides they have "general validity" within the trading bloc.

Albrecht's proposals are contained in a draft opinion he has prepared on behalf of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) at the European Parliament which relates to proposed new EU laws the European Commission tabled in September last year. Those proposals, which Albrecht is seeking to amend, would expand the powers and responsibilities of ENISA.

One amendment proposed by Albrecht detailed what he believes could constitute some baseline IT security requirements. A shortened summary of those recommendations were included in a non-binding recital for the planned new legislation that Albrecht has drafted.

He said they should require "that the device does not contain any known security vulnerability that it is capable of accepting trusted security updates, that the vendor notifies competent authorities of known vulnerabilities and repairs or replaces the affected device, or that the vendor informs when security support for such device will end".

Albrecht said that ENISA should also "propose policies establishing clear responsibilities and liabilities for all stakeholders taking part in ICT eco-systems where the failure to act with proper IT security due diligence could result in severe safety impacts, massive destructions in the environment, trigger a systemic financial or economic crisis".

The agency should also be responsible for putting forward a new "IT security certification scheme" to "increase the transparency for the consumer about upgradability and software support time", he said.

The new laws proposed should also compel ENISA to be open about the IT security vulnerabilities it becomes aware of, Albrecht said. The MEP said the agency should have to report such vulnerabilities even if they are "not yet publicly known to manufacturers".

"The agency should not conceal or exploit undisclosed vulnerabilities in companies and products for its own purposes," Albrecht said. "By developing, buying up and exploiting back doors in IT systems with taxpayers' money, government bodies are putting the security of citizens at risk. In order to protect other stakeholders who deal responsibly with such vulnerabilities, the agency should propose policies for the responsible exchange of information on 'zero days' and other types of security vulnerabilities that are not yet publicly known and that facilitate the closing of vulnerabilities."