The European Commission has taken action to improve the cybersecurity of wireless devices available on the European market. As mobile phones, smart watches, fitness trackers and wireless toys are more and more present in our everyday life, cyber threats pose a growing risk for every consumer.
The delegated act to the Radio Equipment Directive adopted today aims to make sure that all wireless devices are safe before being sold on the EU market. This act lays down new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of the concerned products. It will also protect citizens’ privacy and personal data, prevent the risks of monetary fraud as well as ensure better resilience of our communication networks.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “You want your connected products to be secure. Otherwise how to rely on them for your business or private communication? We are now making new legal obligations for safeguarding cybersecurity of electronic devices.”
Thierry Breton, Commissioner for the Internal Market said: “Cyber threats evolve fast; they are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market.”
The measures proposed today will cover wireless devices such as mobile phones, tablets and other products capable of communicating over the internet; toys and childcare equipment such as baby monitors; as well as a range of wearable equipment such as smart watches or fitness trackers.
The new measures will help to:
- Improve network resilience: Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
- Better protect consumers’ privacy: Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children’s rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
- Reduce the risk of monetary fraud: Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
The delegated act will be complemented by a Cyber Resilience Act, recently announced by President von der Leyen in the State of the Union speech, which would aim to cover more products, looking at their whole life cycle. Today’s proposal as well as the upcoming Cyber Resilience Act follow up on the actions announced in the new EU Cybersecurity Strategy presented in December 2020.
The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections.
Following the entry into force, manufacturers will have a transition period of 30 months to start complying with the new legal requirements. This will provide the industry with sufficient time to adapt relevant products before the new requirements become applicable, expected as of mid-2024.
The Commission will also support the manufacturers to comply with the new requirements by asking the European Standardisation Organisations to develop relevant standards. Alternatively, manufacturers will also be able to prove the conformity of their products by ensuring their assessment by relevant notified bodies.
Wireless devices have become a key part of the life of citizens. They access our personal information and make use of the communication networks. The COVID-19 pandemic has dramatically increased the use of radio equipment for either professional or personal purposes.
In recent years, studies by the Commission and various national authorities identified an increasing number of wireless devices that pose cybersecurity risks. Such studies have for instance flagged the risk from toys that spy the actions or conversations of children; unencrypted personal data stored in our devices, including those related with payments, that can be easily accessed; and even equipment that can misuse the network resources and thus reduce their capability.
Ian McShane, CTO, Arctic Wolf, said: “For years now, bad actors have been able to exploit the appalling and non-existent security controls within various IoT devices widely used by businesses and their workforces. Even now in 2021, hundreds of thousands of these devices are being shipped without any real concept of security, meaning many are still actively vulnerable to some form of hijacking.
Therefore the European Commission’s new cybersecurity guidelines for these devices is definitely welcome and overdue, but I am sceptical when I see words like ‘prevent’ and ‘guarantee’, as there are no security controls that provide 100 percent protection. It will also be interesting to see which controls will in fact be enforced, and whether these will still also be relevant when the legislation is introduced.
Ultimately, the word ‘guidelines’ gives the impression these will be optional for manufacturers to follow, rather than mandatory. When we live in an era where governments are so disconnected from the reality of security and technology, I’m not going to hold my breath on this having a tangible impact on improving the cybersecurity posture of businesses anytime soon.”