In an increasingly digitised and interconnected world, cybersecurity risks are a dominating concern for product manufacturers, suppliers and other actors in the supply chain, as well as consumers. Products which use new technologies and are interconnected (for example, smart medical devices and virtual reality (VR) or augmented reality (AR) headsets) are at risk of unauthorised access to data or malicious interference by third parties, including ransomware and malware attacks. This could infringe consumers' privacy rights, cause reputational damage to businesses, and allow access to intimate and varied types of personal data.
These risks are particularly exemplified in the Internet of Children's Things market, where design flaws can leave products vulnerable to hacking. Such risks materialised in the case of a toy doll, where, in 2017, a German watchdog ordered the destruction of the doll following concerns that unauthorised users could eavesdrop on child users' conversations. Similarly, in 2019, a children's smartwatch was recalled by an EU product regulator and withdrawn from the market following concerns that the child user's location could be tracked and their personal data stolen.
In recognition of these cybersecurity risks, EU and UK legislators have proposed to further incorporate cybersecurity provisions into their more mainstay general product safety regulatory regimes, as well as further introducing specific, stand-alone pieces of legislation with cybersecurity as its singular focus. These legislative developments are part of a drive to regulate product cybersecurity and to expand the concept of product safety to include cybersecurity as a mainstay consideration.
The EU Cybersecurity Act came into force in June 2019. It established rules and requirements in relation to the certification of ICT products, services and processes, see Practice note, EU cybersecurity framework: EU Cybersecurity Act. Additionally, as part of the EU's Cybersecurity Strategy presented in December 2020, which aims to improve the cybersecurity of connected products, particularly Internet of Things (IoT) devices, the European Commission (EC) proposed a Delegated Regulation for the Radio Equipment Directive (2014/53/EU) (Delegated Regulation) (see Legal update, European Commission draft Regulation on cybersecurity of internet-enabled products).
Although the Radio Equipment Directive has contained provisions governing the cybersecurity of products, the Delegated Regulation places specific obligations on product manufacturers to ensure the improvement of cybersecurity of particular wireless devices that have radio capabilities, such as wearables, smartphones, toys, smartwatches and fitness trackers. Medical devices (which have generally led the way in the development of product-based cybersecurity regulations) and motor vehicles do not fall within the scope of the Delegated Regulation as they are subject to their own specific legislation which contains cybersecurity provisions.
It has been proposed that the Delegated Regulation, the Cybersecurity Act and the replacement of the Directive on the security of Network Information Systems ((EU) 2016/1148) (NIS Directive) (with what is known as NIS 2) will be complemented by a new EU Cyber Resilience Act. The Cyber Resilience Act seeks to introduce common cybersecurity rules and standards for manufacturers and vendors of tangible and intangible digital products and ancillary services with a view to creating greater transparency over the cybersecurity of such products (see Cyber Resilience Act: legislation tracker).
NIS 2 (published in the Official Journal on 27 December 2022) seeks to:
- Extend the scope of the NIS Directive to include all essential entities providing services listed in Annex I.
- Introduce new requirements for the public and private sectors in relation to incident response, supply chain security, encryption and vulnerability disclosure.
(See Practice note, NIS 2 Directive: overview).
These legislative initiatives aim to tackle the gap in the current EU framework applicable to digital products. To date, that framework has only addressed the cybersecurity of tangible digital products and, where applicable, embedded software concerning those tangible products (see Practice note, EU Cybersecurity framework).
More widely, the EU's mainstay product safety framework, the General Product Safety Directive (2001/95/EC) (GPSD), does not prescribe specific cybersecurity requirements covering the whole product lifecycle. However, the EC's proposal for a General Product Safety Regulation (GPSR) to replace the 20-year-old GPSD (agreed between the European Council and European Parliament on 29 November 2022) identifies various areas of improvement (see Revising and replacing General Product Safety Directive (2001/95/EC) (GPSD): legislation tracker).
These areas include market surveillance, product recalls, online marketplaces and new technologies such as connected products and artificial intelligence (AI). Most of these areas are subject to separate pieces of draft EU legislation which are currently being considered in parallel to the proposed GPSR. The proposed GPSR seeks to update and modernise the framework for the safety of non-food consumer products, including in relation to cybersecurity and privacy risks that are increasingly impacting consumer safety. The proposed changes include:
- A new definition of "product" to encompass items that are "interconnected or not to other items", which is understood as a reference to IoT products.
- Free software updates for the consumer as a right of remedy where an economic operator recalls the product.
- Accounting for the effect a product has when interconnected with another product, and a product's cybersecurity features that protect it from malicious third parties, when assessing product safety.
- A broad range of standards, including European and international standards, the opinions of recognised scientific bodies, and even reasonable consumer expectations as relevant considerations to assist in assessing product safety.
The UK Government launched a National Cyber Strategy in January 2022 which proposes a series of measures to improve the UK's cybersecurity. These include the introduction and implementation of the Product Security and Telecommunications Infrastructure (PSTI) Act, which aims to protect consumer connectable devices such as smart TVs and internet-connectable cameras from cybersecurity attacks (see Legal update, Product Security and Telecommunications Infrastructure Bill receives Royal Assent (coverage of Part 1: cybersecurity of consumer connectable products)).
The PSTI Act is more focused on cybersecurity than other general product safety legislation. It provides a power for ministers to specify security requirements relating to relevant connectable products. The requirements could include a ban on universal, easy-to-guess passwords, and informing customers about the minimum amount of time before a product receives crucial software updates.
The UK has also taken steps to reform and strengthen its own data protection regime by way of the Data Protection and Digital Information Bill (DP&DI Bill). It was introduced to Parliament on 18 July 2022 with a view to creating a clearer regulatory environment for personal data use to fuel responsible innovation. However, second reading of the DP&DI Bill was stalled due to the change in the Conservative government leadership in September 2022. It will now be subject to a further consultation with a view to returning in some form in 2023, particularly as clarity is required for UK-EU data adequacy.