Vulnerability management as compliance requirement in product security regulation-a game changer for producers' liability and consequential improvement of the level of security in the Internet of Things?

The article outlines the European Union (EU) regulation of information technology (IT) security in Internet of Things products from a consumer and end user perspective. It starts with civil law and the necessity to address security requirements and specifications in individual contractual terms. Data and consumer protection laws have not helped much, mainly because of missing definitions and levels of applicable security. Two new EU directives reforming the law of obligations may improve the situation for consumers since security is now a named quality requirement, especially for the sale of (digital) goods. Also introduced is the provision of security updates as a contractual duty. But both rule sets address only the traders, not the producers. This is different with the activation of clauses in the radio equipment directive, which sets IT security measures as requirements to be compliant for CE labeling. An important element is the introduction of a vulnerability management system. Details can be found in the draft of technical standard ETSI/EN 303645. The work concludes with a look at the EU's efforts regarding certification schemes and the interaction of all regulation elements, with more liability for insecure products plus the hope for effectiveness.