Cybersecurity and data protection for radio systems
The General Data Protection Regulation (GDPR) does not apply directly to manufacturers. However, the European Union (EU) has been spinning an ever tighter web for years with numerous legal acts containing data protection requirements for product development. In particular, the issuance of Delegated Regulation (EU) 2022/30 on the Radio Equipment Directive (RED) provides for corresponding obligations – and for more products than it seems at first glance. Determining which products are affected and which are not can be difficult in specific cases. Since radio equipment that does not meet the requirements will no longer be allowed to be made available on the European market from 2024, it is imperative that manufacturers address these issues.
Radio equipment connected to the Internet
According to Delegated Regulation (EU) 2022/30, all radio equipment connected to the Internet must meet basic cybersecurity and data protection requirements. The term “radio equipment connected to the Internet” is to be understood more broadly than one might initially think. According to Article 1(1) of Delegated Regulation (EU) 2022/30, all radio equipment that can communicate via the Internet is encompassed, regardless of whether a device communicates directly or via other equipment. This means that devices that are not capable of connecting to the Internet themselves, but can only be controlled via Bluetooth, may also be covered.
The term “communication”
The question comes to mind that not every device that connects to a laptop or smartphone via Bluetooth communicates with the Internet. The decisive factor for a clear demarcation is the requirements one places on “communicating with the Internet”. Whether an interface for a firmware update via the Internet is already sufficient seems doubtful. Recital 5 of Delegated Regulation (EU) 2022/30 focuses on whether a piece of radio equipment operates with protocols “[…] necessary to exchange data with the internet either directly or by means of an intermediate equipment [sic]”. If appropriate protocols are used, communication with the Internet can be assumed. This is now likely to affect a large proportion of wireless devices ranging from fitness trackers to digital barbecue thermometers. However, pure input devices are likely to be excluded.
Practical implications for manufacturers and implementation in practice
The number of affected products is immense. From 2024, there is a risk of losing market access if the relevant requirements are not met. Manufacturers should therefore check carefully in the course of their compliance management whether the requirements of the RED must be observed. However, even if a product is not required by the RED to comply with cybersecurity and data protection standards, manufacturers should not ignore the issue. On the one hand, customers who purchase the products must be able to be sure that legally compliant use of the product is possible. On the other hand, there is a threat of product warnings from the German Federal Office for Information Security (BSI) and the data protection supervisory authorities. It is also important to consider future manufacturer obligations, which will arise particularly from the EU Cyber Resilience Act (CRA).
More information on the implementation of cybersecurity and data protection
by design in product development can be found in this one-page brochure.