Manufacturers forced to improve cyber security of wireless devices under new EU rule
The European Commission (EC) has announced plans to introduce new rules requiring device manufacturers to embed tougher cyber security measures when designing new wireless devices.
The amendment to the Radio Equipment Directive (RED) will cover all wireless devices, including mobile phones, smart watches, tablets, fitness trackers, and any other electronic device that intentionally transmits and/or emits radio waves for the purposes of communication.
By embedding cyber security measures from the ground up, the commission hopes this will enhance consumer privacy, improve the resilience of communication networks, and reduce the risk of monetary fraud.
Marking a significant step in the EC’s legislative procedure, the proposed act was officially adopted on Friday, successfully clearing both the European Council and European Parliament.
The adopted act, which takes the form of a regulation, will undergo a two-month period of scrutinisation before being officially enacted. After this time, manufacturers will be afforded a 30-month transition period during which time they must make changes to comply with the new legal requirements. It will be directly applicable in all member states without the need for transposition into domestic legislation.
Going forward, new wireless devices will need to have features to guarantee the protection of personal data and the protection of children’s rights. Devices such as baby monitors will need to implement new, compliant measures that prevent unauthorised access or transmission of personal data.
There are a number of device types that are excluded from the new rules. These include: motor vehicles, electronic road toll systems, equipment to control unmanned aircraft remotely, and non-airborne specific radio equipment that may be installed on aircraft. The EC said the cyber security of these devices is already covered adequately by existing EU legislation.
From a network resilience perspective, devices must also have features that specifically prevent the possibility that the devices could be used to disrupt websites or other services.
Stronger user authentication when it comes to making electronic payments is also stipulated in the new act, with the hope of minimising the risk of fraud.
“Cyber threats evolve fast; they are increasingly complex and adaptable,” said Thierry Breton, commissioner for the internal market. “With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market.”
While the EC said the new requirements will be formulated in general terms as objectives to be achieved, rather than specific protocols or measures to applied in each device, it will launch a standardisation request to the European Standardisation Organisations in order to develop harmonised standards in support of this piece of legislation.
To demonstrate compliance, manufacturers will have a choice of either submitting a self-assessment, or they can rely on a third-party assessment performed by an independent inspection body.
“You want your connected products to be secure. Otherwise how to rely on them for your business or private communication,” said Margrethe Vestager, executive vice-president for A Europe Fit for the Digital Age. “We are now making new legal obligations for safeguarding cybersecurity of electronic devices.”
Some corners of the industry have claimed the introduction of the rules aren’t focused on the right areas, saying secure by design principles should be applied to component manufacturers so equipment manufacturers (OEMs) can produce secure devices by default.
The adopted act comes after European Commission President Ursula von der Leyen announced in September plans to introduce a Cyber Resilience Act, which will aim to implement measures on a broader set of electronic devices, covering the entirety of their lifecycles.
Making her annual State of the Union speech in the European Parliament back in September, von der Leyen said: “We cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security.
“It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy, including legislation on common standards under a new European Cyber Resilience Act.”
© Dennis Publishing