Image of transparent glass of RPC building.
  1. Home >
  2. Snapshots >
  3. Technology/Digital >
  4. >
  5. New draft EU Regulation to strengthen cybersecurity of wireless devices and products

SHARE:

New draft EU Regulation to strengthen cybersecurity of wireless devices and products

Published on 17 January 2022

The question

What are the new potential obligations on manufacturers arising out of the European Commission’s draft Regulation?

The key takeaway

The Commission’s draft Regulation lays down new legal requirements for cybersecurity safeguards, which manufacturers will have to consider in the design and production of the concerned products. The aim is to ensure that all wireless devices are safe before being sold within the EU market. It will also protect citizens’ privacy and personal data, prevent the risks of monetary fraud as well as ensure better resilience of communication networks.

The background

On 29 October 2021, the European Commission has adopted a Delegated Regulation under the Radio Equipment Directive (2014/53/EU) to place obligations on manufacturers to improve the cybersecurity of certain types of wireless devices that use radio technology. The goal is to ensure that these devices are safe before they come to be sold on the EU market. 

The development

The European Commission’s draft Regulation will apply to both EU manufacturers and manufacturers who place products on the EU market. As such, it will apply to any UK businesses that export to any EU country. It will have prospective effect and covers internet-enabled devices, wearables that collect biometric data, and toys and childcare equipment. The type of products caught will therefore include smartphones, tablets, cameras, electronics, baby monitors, smartwatches, fitness trackers and telecommunications equipment. Motor vehicles and medical devices are covered in other legislation so are not subject to this Regulation.

Manufactures will now be required to incorporate features that are designed to:

  • prevent harm to networks
  • guarantee privacy and the protection of personal data, and 
  • minimise the risk of fraud when the equipment is used to make electronic payments.

The objectives will be set out in general terms, rather than outlining specific technical solutions. The European Standards Organisation will be asked to develop a standard containing specific technical solutions that will be regarded as compliant. Manufacturers will then have the option to choose whether to assess the compliance of their product themselves or have it assessed by an independent inspection body.

Why is this important?

Mobile phones, smart watches, fitness trackers and wireless toys are becoming interwoven in our everyday life, meaning that cyber threats pose a growing risk for every consumer. There is therefore an increasing need to strengthen cybersecurity of such devices, which the Commission’s draft Regulation aims to address.

The Regulation is expected to come into force in mid-2024, following a 30-month transition period. Compliance with the new rules will be enforced by the national market surveillance authorities that were set up under the Radio Equipment Directive. In the UK, this falls to the trading standards authorities. It is therefore important for manufacturers to ensure their products are compliant, although the transition period does mean that businesses will have ample time to implement necessary changes. 

Any practical tips?

Manufacturers should consider whether their products are likely to be caught by the proposed Regulation. If they are, they should familiarise themselves with the potential requirements well ahead of time so that their product design teams can start planning for the implementation of appropriate features to ensure compliance.