RED: New manu­fac­tu­rer obligations

Cyber­se­cu­ri­ty and data pro­tec­tion for radio systems

The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) does not app­ly direct­ly to manu­fac­tu­r­ers. Howe­ver, the Euro­pean Uni­on (EU) has been spin­ning an ever tigh­ter web for years with num­e­rous legal acts con­tai­ning data pro­tec­tion requi­re­ments for pro­duct deve­lo­p­ment. In par­ti­cu­lar, the issu­an­ce of Dele­ga­ted Regu­la­ti­on (EU) 2022/30 on the Radio Equip­ment Direc­ti­ve (RED) pro­vi­des for cor­re­spon­ding obli­ga­ti­ons – and for more pro­ducts than it seems at first glan­ce. Deter­mi­ning which pro­ducts are affec­ted and which are not can be dif­fi­cult in spe­ci­fic cases. Sin­ce radio equip­ment that does not meet the requi­re­ments will no lon­ger be allo­wed to be made available on the Euro­pean mar­ket from 2024, it is impe­ra­ti­ve that manu­fac­tu­r­ers address the­se issues.

Radio equip­ment con­nec­ted to the Internet

Accor­ding to Dele­ga­ted Regu­la­ti­on (EU) 2022/30, all radio equip­ment con­nec­ted to the Inter­net must meet basic cyber­se­cu­ri­ty and data pro­tec­tion requi­re­ments. The term “radio equip­ment con­nec­ted to the Inter­net” is to be unders­tood more broad­ly than one might initi­al­ly think. Accor­ding to Artic­le 1(1) of Dele­ga­ted Regu­la­ti­on (EU) 2022/30, all radio equip­ment that can com­mu­ni­ca­te via the Inter­net is encom­pas­sed, regard­less of whe­ther a device com­mu­ni­ca­tes direct­ly or via other equip­ment. This means that devices that are not capa­ble of con­nec­ting to the Inter­net them­sel­ves, but can only be con­trol­led via Blue­tooth, may also be covered.

The term “com­mu­ni­ca­ti­on”

The ques­ti­on comes to mind that not every device that con­nects to a lap­top or smart­phone via Blue­tooth com­mu­ni­ca­tes with the Inter­net. The decisi­ve fac­tor for a clear demar­ca­ti­on is the requi­re­ments one places on “com­mu­ni­ca­ting with the Inter­net”. Whe­ther an inter­face for a firm­ware update via the Inter­net is alre­a­dy suf­fi­ci­ent seems doubtful. Reci­tal 5 of Dele­ga­ted Regu­la­ti­on (EU) 2022/30 focu­ses on whe­ther a pie­ce of radio equip­ment ope­ra­tes with pro­to­cols “[…] neces­sa­ry to exch­an­ge data with the inter­net eit­her direct­ly or by means of an inter­me­dia­te equip­ment [sic]”. If appro­pria­te pro­to­cols are used, com­mu­ni­ca­ti­on with the Inter­net can be assu­med. This is now likely to affect a lar­ge pro­por­ti­on of wire­less devices ran­ging from fit­ness tra­ckers to digi­tal bar­be­cue ther­mo­me­ters. Howe­ver, pure input devices are likely to be excluded.

Prac­ti­cal impli­ca­ti­ons for manu­fac­tu­r­ers and imple­men­ta­ti­on in practice

The num­ber of affec­ted pro­ducts is immense. From 2024, the­re is a risk of losing mar­ket access if the rele­vant requi­re­ments are not met. Manu­fac­tu­r­ers should the­r­e­fo­re check careful­ly in the cour­se of their com­pli­ance manage­ment whe­ther the requi­re­ments of the RED must be obser­ved. Howe­ver, even if a pro­duct is not requi­red by the RED to com­ply with cyber­se­cu­ri­ty and data pro­tec­tion stan­dards, manu­fac­tu­r­ers should not igno­re the issue. On the one hand, cus­to­mers who purcha­se the pro­ducts must be able to be sure that legal­ly com­pli­ant use of the pro­duct is pos­si­ble. On the other hand, the­re is a thre­at of pro­duct war­nings from the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) and the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. It is also important to con­sider future manu­fac­tu­rer obli­ga­ti­ons, which will ari­se par­ti­cu­lar­ly from the EU Cyber Resi­li­ence Act (CRA).

More infor­ma­ti­on on the imple­men­ta­ti­on of cyber­se­cu­ri­ty and data pro­tec­tion
by design in pro­duct deve­lo­p­ment can be found in this one-page bro­chu­re.