RED: New manu­fac­tu­rer obligations

Cyber­se­cu­ri­ty and data pro­tec­tion for radio systems

The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) does not app­ly direct­ly to manu­fac­tu­r­ers. Howe­ver, the Euro­pean Uni­on (EU) has been spin­ning an ever tigh­ter web for years with num­e­rous legal acts con­tai­ning data pro­tec­tion requi­re­ments for pro­duct deve­lo­p­ment. In par­ti­cu­lar, the issu­an­ce of Dele­ga­ted Regu­la­ti­on (EU) 2022/30 on the Radio Equip­ment Direc­ti­ve (RED) pro­vi­des for cor­re­spon­ding obli­ga­ti­ons – and for more pro­ducts than it seems at first glan­ce. Deter­mi­ning which pro­ducts are affec­ted and which are not can be dif­fi­cult in spe­ci­fic cases. Sin­ce radio equip­ment that does not meet the requi­re­ments will no lon­ger be allo­wed to be made available on the Euro­pean mar­ket from 2024, it is impe­ra­ti­ve that manu­fac­tu­r­ers address the­se issues.

Radio equip­ment con­nec­ted to the Internet

Accor­ding to Dele­ga­ted Regu­la­ti­on (EU) 2022/30, all radio equip­ment con­nec­ted to the Inter­net must meet basic cyber­se­cu­ri­ty and data pro­tec­tion requi­re­ments. The term “radio equip­ment con­nec­ted to the Inter­net” is to be unders­tood more broad­ly than one might initi­al­ly think. Accor­ding to Artic­le 1(1) of Dele­ga­ted Regu­la­ti­on (EU) 2022/30, all radio equip­ment that can com­mu­ni­ca­te via the Inter­net is encom­pas­sed, regard­less of whe­ther a device com­mu­ni­ca­tes direct­ly or via other equip­ment. This means that devices that are not capa­ble of con­nec­ting to the Inter­net them­sel­ves, but can only be con­trol­led via Blue­tooth, may also be covered.

The term “com­mu­ni­ca­ti­on”

The ques­ti­on comes to mind that not every device that con­nects to a lap­top or smart­phone via Blue­tooth com­mu­ni­ca­tes with the Inter­net. The decisi­ve fac­tor for a clear demar­ca­ti­on is the requi­re­ments one places on “com­mu­ni­ca­ting with the Inter­net”. Whe­ther an inter­face for a firm­ware update via the Inter­net is alre­a­dy suf­fi­ci­ent seems doubtful. Reci­tal 5 of Dele­ga­ted Regu­la­ti­on (EU) 2022/30 focu­ses on whe­ther a pie­ce of radio equip­ment ope­ra­tes with pro­to­cols “[…] neces­sa­ry to exch­an­ge data with the inter­net eit­her direct­ly or by means of an inter­me­dia­te equip­ment [sic]”. If appro­pria­te pro­to­cols are used, com­mu­ni­ca­ti­on with the Inter­net can be assu­med. This is now likely to affect a lar­ge pro­por­ti­on of wire­less devices ran­ging from fit­ness tra­ckers to digi­tal bar­be­cue ther­mo­me­ters. Howe­ver, pure input devices are likely to be excluded.

Prac­ti­cal impli­ca­ti­ons for manu­fac­tu­r­ers and imple­men­ta­ti­on in practice

The num­ber of affec­ted pro­ducts is immense. From 2024, the­re is a risk of losing mar­ket access if the rele­vant requi­re­ments are not met. Manu­fac­tu­r­ers should the­r­e­fo­re check careful­ly in the cour­se of their com­pli­ance manage­ment whe­ther the requi­re­ments of the RED must be obser­ved. Howe­ver, even if a pro­duct is not requi­red by the RED to com­ply with cyber­se­cu­ri­ty and data pro­tec­tion stan­dards, manu­fac­tu­r­ers should not igno­re the issue. On the one hand, cus­to­mers who purcha­se the pro­ducts must be able to be sure that legal­ly com­pli­ant use of the pro­duct is pos­si­ble. On the other hand, the­re is a thre­at of pro­duct war­nings from the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) and the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. It is also important to con­sider future manu­fac­tu­rer obli­ga­ti­ons, which will ari­se par­ti­cu­lar­ly from the EU Cyber Resi­li­ence Act (CRA).

More infor­ma­ti­on on the imple­men­ta­ti­on of cyber­se­cu­ri­ty and data pro­tec­tion
by design in pro­duct deve­lo­p­ment can be found in this one-page bro­chu­re.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.