Cybersecurity in the internet of things: Trends and challenges in a nascent field

The European cybersecurity regulation framework, not unlike European regulatory initiatives in general, has oft been criticized as being fragmented and divided among industry sectors. However, the past few years have seen legislative initiatives aimed at harmonizing cybersecurity across the EU, the most recent being the newly adopted Cyber-Resilience Act. The Act attempts to harmonize cybersecurity from the product side, establishing minimum requirements that must be met before digital products are brought into the Union market. It marks the initial foray of the EUs framework for product regulation (i.e., the New Legislative Framework or NLF) into the realm of cybersecurity regulation. Consistent with the NLF, the Cyber-Resilience Act provides for high-level cybersecurity requirements for all digital products, with demonstrable conformity met through multiple avenues including international/industrial standards adopted by European Standardization Organizations. However, unlike conventional product regulation, the Cyber-Resilience Act attempts to fulfil its objectives as part of an overarching framework of multiple harmonization legislations geared towards enhancing cybersecurity in the European Union. This article examines the Cyber-Resilience Act, its interplay with other harmonizing legislations in the EU cybersecurity regulatory regime, and raises critical challenges and questions raised through the trends identified in said interplay.