New proposed EU cybersecurity rules for internet-connected wireless
The European Commission has recently proposed a Delegated Regulation for the Radio Equipment Directive (2014/53/EU) (RED) that puts obligations on manufacturers to ensure the improvement of cybersecurity of particular wireless devices that have radio capabilities.
The RED regulates most products within the EU that have a radio element included by requiring such products to meet the applicable essential requirements provided by the Directive. Compliance with this Directive is required in order for vendors to sell on the EU market.
Delegated Regulations are legally binding supplements to existing legislation to amend parts of the legislation and are limited in scope in what they regulate. They are directly applicable in Member States meaning they do not need to be transposed into national legislation.
The new proposals require manufacturers of applicable products to ensure:
- Devices have features that prevent harm to communication networks and cannot be used to disrupt the functioning of websites or other services (this can be interpreted to be in reference to the use of IoT devices to launch distributed denial-of-service (DDoS) attacks).
- The protection of consumers’ privacy with a particular focus on children’s rights. Manufacturers will be required to put in place measures to prevent unauthorised access or transmission of a user’s personal data.
- The risk of fraud is minimised when electronic payments are made. This can be achieved by improving authentication control of the user to prevent fraudulent payments.
Which products do the proposals apply to?
The proposed Regulations will apply to most wireless internet-connected devices such as wearables, smartphones, toys, smartwatches, and fitness trackers given that wireless products are the target of more than 80% of cybersecurity attacks compared to wired devices. Medical devices and motor vehicles, however, will not fall within scope as cybersecurity provisions from other legislation are applicable to these products.
Importantly, the new proposals will apply to all manufacturers placing products on the EU market regardless of whether they are EU Member States or not.
This means UK manufacturers will be required to comply with the proposed regulations in order to export their products to any EU Member State.
The European Commission has clarified that products that are already on the market when the proposed Regulation comes into force can continue to be used by consumers for the rest of their lifecycle without the need for any adaptations.
How will manufacturers ensure compliance?
The Regulation sets out the aims for ensuring cybersecurity generally rather than providing specific and targeted technical measures to do so. The European Commission has requested the European Standards Organisation (ESO) to develop technical standards to provide more specificity for compliance, therefore:
Once standards are created, manufacturers may then choose to self-assess their products’ compliance or have an assessment by an independent third-party inspection entity.
Market surveillance authorities will have authority for enforcing these new requirements once the Regulation comes into force. For the UK, this will be the Trading Standards Authorities.
When will the proposed regulations come into force?
After a two-month period of scrutiny, the Delegated Regulation will come into force, provided the European Council and Parliament do not object to any parts. Historically, there have been significant debates, and resultant delays, as legislation goes through this legislative process.
Following the completion of the legislative process, compliance with the requirements contained within the final version with the Regulation will be required from mid-2024. This provides a 30-month transition period for companies to ensure their products are compliant.
Despite not being a standalone piece of legislation, this proposed Regulation is an important update that falls within the context of the EU Cybersecurity Strategy presented in December 2020 aiming to improve the cybersecurity of products, particularly Internet of Things (IoT) devices. It is expected to be complemented by the proposed EU Cyber Resilience Act that was announced by the EU’s President, Ursula von der Leyen.
Additionally, although fairly limited in scope, this proposed Regulation means manufacturers will need to begin focusing on creating products that are secure by design and include, for example, unique default passwords as opposed to simple universal passwords, and encryption of communications. Further legislation on product cybersecurity will then extend the scope of application to more types of products and impose further product requirement obligations on manufacturers.