Cyber­se­cu­ri­ty and data pro­tec­tion in radio equipment

EU Com­mis­si­on plans to adopt requi­re­ments for manufacturers!

IT secu­ri­ty inci­dents and data brea­ches in con­nec­tion with the Inter­net of Things (IoT), internet-connected toys and weara­bles have been piling up for years. The EU Com­mis­si­on has now respon­ded by pre­sen­ting a draft Dele­ga­ted Regu­la­ti­on under the Radio Equip­ment Direc­ti­ve (RED), for which a public con­sul­ta­ti­on will be held through 27 August 2021. In this Regu­la­ti­on, the Com­mis­si­on aims to infu­se life into Artic­le 3(3)d)-f) of the RED and requi­re manu­fac­tu­r­ers to take mea­su­res rela­ting to cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on.

The requi­re­ments will app­ly as part of the con­for­mi­ty assess­ment pro­ce­du­re (Artic­le 17 of the RED), so that radio equip­ment will have to meet them befo­re they can recei­ve CE mar­king or be made available in the Euro­pean mar­ket. In other words, the Com­mis­si­on intends to impo­se direct requi­re­ments on manu­fac­tu­r­ers of such equip­ment to imple­ment cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on mea­su­res. Below, you will find detail­ed infor­ma­ti­on on this topic, which is high­ly rele­vant for manufacturers.

Cyber­se­cu­ri­ty, data pro­tec­tion, fraud pre­ven­ti­on: requi­re­ments which may soon app­ly for manufacturers

If the EU Com­mis­si­on adopts the Dele­ga­ted Regu­la­ti­on in its pre­sent or a simi­lar form, manu­fac­tu­r­ers of radio equip­ment will be requi­red to take cyber­se­cu­ri­ty, data pro­tec­tion and fraud pre­ven­ti­on mea­su­res in the future in order to make their pro­ducts available in the Euro­pean mar­ket in con­for­mance with the law. The spe­ci­fic mea­su­res requi­red depends on the type of radio equipment:

• Internet-connected radio equip­ment would be requi­red to meet the cyber­se­cu­ri­ty requi­re­ments in accordance with Artic­le 3(3)d) of the RED. Accor­din­gly, such equip­ment may not harm the net­work or its func­tio­ning or misu­se net­work resour­ces, ther­eby caus­ing an unac­cep­ta­ble degra­da­ti­on of ser­vice. Such mea­su­res would the­r­e­fo­re be bin­ding for all IoT devices.
• The data pro­tec­tion requi­re­ments in accordance with Artic­le 3(3)e) of the RED would have to be met by all radio equip­ment which is used to pro­cess “per­so­nal data” as defi­ned in Artic­le 4 No. 1 of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) or “traf­fic” or “loca­ti­on data” as defi­ned in Artic­le 2 b) and c) of the E‑Privacy Direc­ti­ve and which is

1.    con­nec­ted to the inter­net; or
2.    desi­gned or inten­ded exclu­si­ve­ly for child care (e.g. child moni­tors); or
3.    a “toy” in terms of the Toy Safe­ty Direc­ti­ve (e.g. smart toys); or
4.    a weara­ble device, i.e. one which is worn on, strap­ped to or hung from the body (e.g. smart wat­ches, smart clot­hing, head­sets, fit­ness tra­ckers, smart shoes, etc.).

In such cases, the equip­ment will have to incor­po­ra­te safe­guards to ensu­re that the per­so­nal data and pri­va­cy of the user and the sub­scri­ber are protected.

• In case of radio equip­ment which allows users to take part in pay­ment tran­sac­tions or mana­ge vir­tu­al cur­ren­ci­es, the equip­ment will have to sup­port fea­tures for pro­tec­tion against fraud, and ther­eby sup­port fraud prevention.

Future time­ta­ble: requi­re­ments sche­du­led to take effect in 2024

The EU Commission’s con­sul­ta­ti­on pro­cess for the draft Dele­ga­ted Act will run through 27 August 2021 and the EU Com­mis­si­on is sche­du­led to accept the draft as ear­ly as the fourth quar­ter of 2021. The draft will take effect 20 days after publi­ca­ti­on in the Offi­ci­al Jour­nal of the Euro­pean Uni­on and will beco­me appli­ca­ble 30 months after that date. Manu­fac­tu­r­ers can the­r­e­fo­re expect that they will be requi­red to imple­ment the new requi­re­ments by mid-2024 at the latest if they want to con­ti­nue to make their pro­ducts available in the Euro­pean market.

Our advice for manufacturers

Sta­tu­to­ry requi­re­ments for manu­fac­tu­r­ers to ensu­re cyber­se­cu­ri­ty and data pro­tec­tion are not enti­re­ly new. As far back as 2017, for exam­p­le, Germany’s Fede­ral Net­work Agen­cy ban­ned the internet-connected “My fri­end Cayla” doll  on the initia­ti­ve of Ste­fan Hes­sel, now the Co-Head of our Digi­tal Busi­ness Unit, becau­se the doll could be used as an ille­gal lis­tening device. Moreo­ver, a duty for manu­fac­tu­r­ers to con­form to the GDPR is not enti­re­ly out of the ques­ti­on even under exis­ting law. But we have also seen how sta­tu­to­ry requi­re­ments are start­ing to accu­mu­la­te fas­ter and fas­ter and are beco­ming much stric­ter as well.

Con­side­ring that it may take a long time to adapt their pro­ducts and make chan­ges to their pro­duct deve­lo­p­ment pro­cess, manu­fac­tu­r­ers should the­r­e­fo­re prepa­re to imple­ment the new requi­re­ments as soon as pos­si­ble. Other recent deve­lo­p­ments, such as the vol­un­t­a­ry IT secu­ri­ty label and man­da­to­ry updates in accordance with the Digi­tal Con­tent Direc­ti­ve, should be taken into account as well. Ide­al­ly, manu­fac­tu­r­ers should imple­ment the sta­tu­to­ry requi­re­ments using a com­pli­ance manage­ment sys­tem so as to gene­ra­te the grea­test pos­si­ble syn­er­gy effects from the various regu­la­to­ry requirements.