Protecting consumers from data theft and cyberattacks

• The European Commission’s proposed regulation focuses on businesses, while underestimating the risks for consumers.
• vzbv demands independent third-party certification for smart home devices and wearables, and stricter controls.
• Consumers must be able to rely on the security of all digital services and connected devices and must be able to assert their rights.

The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv) welcomes the European Commission’s proposal to establish minimum cybersecurity standards for digital products and connected devices. However, in terms of consumer needs, the proposal falls far short of expectations. vzbv calls for independent checks, update obligations for an extended period of time for connected devices, and higher fines for companies in cases of non-compliance.

“Consumers as well as businesses need to be protected from cyberattacks. It is incomprehensible why up to now the cybersecurity of consumers has barely featured in the debate and risks are constantly underestimated,” says vzbv’s Executive Director Ramona Pop. “Popular connected devices such as smartphones, robot vacuum cleaners, and fitness watches must be secure – including all aspects of cybersecurity. Consumers must be able to trust that their data is protected and that not just anyone can access their devices.”

The European Commission’s proposal requires that devices must be equipped with up-to-date protection against malware and be protected against simple attacks. However, the proposal fails to ensure compliance with minimum standards. vzbv demands that the compliance with security obligations is checked by an independent third party and public authorities –particularly in sensitive areas. This includes products used in private households as well as products involving children or health-related data.

vzbv also criticises that important services such as cloud services are excluded from the scope of the proposal. The aim must be to create an all-encompassing security standard for all products. The proposal must consider a product’s entire lifecycle and make security updates mandatory for the product’s expected lifetime. “An update obligation of five years is insufficient. Especially household appliances, such as refrigerators or washing machines, have a much longer lifespan,” Pop says.

Only with effective market surveillance, stricter controls, and deterrent penalties can the requirements be successfully implemented. In line with comparable digital legislation, vzbv calls for fines of up to six percent of a company’s global annual turnover for non-compliance. In addition, consumer protection organisations must be able to take collective action in case of non-compliance with cybersecurity requirements to guarantee a high level of protection for consumers.