Cyber­se­cu­ri­ty and data pro­tec­tion in radio equipment

EU Com­mis­si­on plans to adopt requi­re­ments for manufacturers!

IT secu­ri­ty inci­dents and data brea­ches in con­nec­tion with the Inter­net of Things (IoT), internet-connected toys and weara­bles have been piling up for years. The EU Com­mis­si­on has now respon­ded by pre­sen­ting a draft Dele­ga­ted Regu­la­ti­on under the Radio Equip­ment Direc­ti­ve (RED), for which a public con­sul­ta­ti­on will be held through 27 August 2021. In this Regu­la­ti­on, the Com­mis­si­on aims to infu­se life into Artic­le 3(3)d)-f) of the RED and requi­re manu­fac­tu­r­ers to take mea­su­res rela­ting to cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on.

The requi­re­ments will app­ly as part of the con­for­mi­ty assess­ment pro­ce­du­re (Artic­le 17 of the RED), so that radio equip­ment will have to meet them befo­re they can recei­ve CE mar­king or be made available in the Euro­pean mar­ket. In other words, the Com­mis­si­on intends to impo­se direct requi­re­ments on manu­fac­tu­r­ers of such equip­ment to imple­ment cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on mea­su­res. Below, you will find detail­ed infor­ma­ti­on on this topic, which is high­ly rele­vant for manufacturers.

Cyber­se­cu­ri­ty, data pro­tec­tion, fraud pre­ven­ti­on: requi­re­ments which may soon app­ly for manufacturers

If the EU Com­mis­si­on adopts the Dele­ga­ted Regu­la­ti­on in its pre­sent or a simi­lar form, manu­fac­tu­r­ers of radio equip­ment will be requi­red to take cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on mea­su­res in the future in order to make their pro­ducts available in the Euro­pean mar­ket in con­for­mance with the law. The spe­ci­fic mea­su­res requi­red depends on the type of radio equipment:

  • Internet-connected radio equip­ment would be requi­red to meet the cyber­se­cu­ri­ty requi­re­ments in accordance with Artic­le 3(3)d) of the RED. Accor­din­gly, such equip­ment may not harm the net­work or its func­tio­ning or misu­se net­work resour­ces, ther­eby caus­ing an unac­cep­ta­ble degra­da­ti­on of ser­vice. Such mea­su­res would the­r­e­fo­re be bin­ding for all IoT devices.
  • The data pro­tec­tion requi­re­ments in accordance with Artic­le 3(3)e) of the RED would have to be met by all radio equip­ment which is used to pro­cess “per­so­nal data” as defi­ned in Artic­le 4 No. 1 of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) or “traf­fic” or “loca­ti­on data” as defi­ned in Artic­le 2 b) and c) of the E‑Privacy Direc­ti­ve and which is

1.    con­nec­ted to the inter­net; or
2.    desi­gned or inten­ded exclu­si­ve­ly for child care (e.g. child moni­tors); or
3.    a “toy” in terms of the Toy Safe­ty Direc­ti­ve (e.g. smart toys); or
4.    a weara­ble device, i.e. one which is worn on, strap­ped to or hung from the body (e.g. smart wat­ches, smart clot­hing, head­sets, fit­ness tra­ckers, smart shoes, etc.).

In such cases, the equip­ment will have to incor­po­ra­te safe­guards to ensu­re that the per­so­nal data and pri­va­cy of the user and the sub­scri­ber are protected.

  • In case of radio equip­ment which allows users to take part in pay­ment tran­sac­tions or mana­ge vir­tu­al cur­ren­ci­es, the equip­ment will have to sup­port fea­tures for pro­tec­tion against fraud, and ther­eby sup­port fraud prevention.

Future time­ta­ble: requi­re­ments sche­du­led to take effect in 2024

The EU Commission’s con­sul­ta­ti­on pro­cess for the draft Dele­ga­ted Act will run through 27 August 2021 and the EU Com­mis­si­on is sche­du­led to accept the draft as ear­ly as the fourth quar­ter of 2021. The draft will take effect 20 days after publi­ca­ti­on in the Offi­ci­al Jour­nal of the Euro­pean Uni­on and will beco­me appli­ca­ble 30 months after that date. Manu­fac­tu­r­ers can the­r­e­fo­re expect that they will be requi­red to imple­ment the new requi­re­ments by mid-2024 at the latest if they want to con­ti­nue to make their pro­ducts available in the Euro­pean market.

Our advice for manufacturers

Sta­tu­to­ry requi­re­ments for manu­fac­tu­r­ers to ensu­re cyber­se­cu­ri­ty and data pro­tec­tion are not enti­re­ly new. As far back as 2017, for exam­p­le, Germany’s Fede­ral Net­work Agen­cy ban­ned the internet-connected “My fri­end Cayla” doll  on the initia­ti­ve of Ste­fan Hes­sel, now the Co-Head of our Digi­tal Busi­ness Unit, becau­se the doll could be used as an ille­gal lis­tening device. Moreo­ver, a duty for manu­fac­tu­r­ers to con­form to the GDPR is not enti­re­ly out of the ques­ti­on even under exis­ting law. But we have also seen how sta­tu­to­ry requi­re­ments are start­ing to accu­mu­la­te fas­ter and fas­ter and are beco­ming much stric­ter as well.

Con­side­ring that it may take a long time to adapt their pro­ducts and make chan­ges to their pro­duct deve­lo­p­ment pro­cess, manu­fac­tu­r­ers should the­r­e­fo­re prepa­re to imple­ment the new requi­re­ments as soon as pos­si­ble. Other recent deve­lo­p­ments, such as the vol­un­t­a­ry IT secu­ri­ty label and man­da­to­ry updates in accordance with the Digi­tal Con­tent Direc­ti­ve, should be taken into account as well. Ide­al­ly, manu­fac­tu­r­ers should imple­ment the sta­tu­to­ry requi­re­ments using a com­pli­ance manage­ment sys­tem so as to gene­ra­te the grea­test pos­si­ble syn­er­gy effects from the various regu­la­to­ry requirements.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.