Cybersecurity and data protection in radio equipment

Stefan Hessel

EU Commission plans to adopt requirements for manufacturers!

IT security incidents and data breaches in connection with the Internet of Things (IoT), internet-connected toys and wearables have been piling up for years. The EU Commission has now responded by presenting a draft Delegated Regulation under the Radio Equipment Directive (RED), for which a public consultation will be held through 27 August 2021. In this Regulation, the Commission aims to infuse life into Article 3(3)d)-f) of the RED and require manufacturers to take measures relating to cybersecurity, data protection and fraud prevention.

The requirements will apply as part of the conformity assessment procedure (Article 17 of the RED), so that radio equipment will have to meet them before they can receive CE marking or be made available in the European market. In other words, the Commission intends to impose direct requirements on manufacturers of such equipment to implement cybersecurity, data protection and fraud prevention measures. Below, you will find detailed information on this topic, which is highly relevant for manufacturers.

Cybersecurity, data protection, fraud prevention: requirements which may soon apply for manufacturers

If the EU Commission adopts the Delegated Regulation in its present or a similar form, manufacturers of radio equipment will be required to take cybersecurity, data protection and fraud prevention measures in the future in order to make their products available in the European market in conformance with the law. The specific measures required depends on the type of radio equipment:

  • Internet-connected radio equipment would be required to meet the cybersecurity requirements in accordance with Article 3(3)d) of the RED. Accordingly, such equipment may not harm the network or its functioning or misuse network resources, thereby causing an unacceptable degradation of service. Such measures would therefore be binding for all IoT devices.
  • The data protection requirements in accordance with Article 3(3)e) of the RED would have to be met by all radio equipment which is used to process "personal data" as defined in Article 4 No. 1 of the General Data Protection Regulation (GDPR) or "traffic" or "location data" as defined in Article 2 b) and c) of the E-Privacy Directive and which is

1.    connected to the internet; or
2.    designed or intended exclusively for child care (e.g. child monitors); or
3.    a "toy" in terms of the Toy Safety Directive (e.g. smart toys); or
4.    a wearable device, i.e. one which is worn on, strapped to or hung from the body (e.g. smart watches, smart clothing, headsets, fitness trackers, smart shoes, etc.).

In such cases, the equipment will have to incorporate safeguards to ensure that the personal data and privacy of the user and the subscriber are protected.

  • In case of radio equipment which allows users to take part in payment transactions or manage virtual currencies, the equipment will have to support features for protection against fraud, and thereby support fraud prevention.

Future timetable: requirements scheduled to take effect in 2024

The EU Commission's consultation process for the draft Delegated Act will run through 27 August 2021 and the EU Commission is scheduled to accept the draft as early as the fourth quarter of 2021. The draft will take effect 20 days after publication in the Official Journal of the European Union and will become applicable 30 months after that date. Manufacturers can therefore expect that they will be required to implement the new requirements by mid-2024 at the latest if they want to continue to make their products available in the European market.

Our advice for manufacturers

Statutory requirements for manufacturers to ensure cybersecurity and data protection are not entirely new. As far back as 2017, for example, Germany's Federal Network Agency banned the internet-connected "My friend Cayla" doll  on the initiative of Stefan Hessel, now the Co-Head of our Digital Business Unit, because the doll could be used as an illegal listening device. Moreover, a duty for manufacturers to conform to the GDPR is not entirely out of the question even under existing law. But we have also seen how statutory requirements are starting to accumulate faster and faster and are becoming much stricter as well.

Considering that it may take a long time to adapt their products and make changes to their product development process, manufacturers should therefore prepare to implement the new requirements as soon as possible. Other recent developments, such as the voluntary IT security label and mandatory updates in accordance with the Digital Content Directive, should be taken into account as well. Ideally, manufacturers should implement the statutory requirements using a compliance management system so as to generate the greatest possible synergy effects from the various regulatory requirements.

[August 2021]