IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Manufacturers forced to improve cyber security of wireless devices under new EU rule

Businesses will have 30 months to comply with the new rules if they want to ship their products to the EU

The European Commission (EC) has announced plans to introduce new rules requiring device manufacturers to embed tougher cyber security measures when designing new wireless devices.

The amendment to the Radio Equipment Directive (RED) will cover all wireless devices, including mobile phones, smart watches, tablets, fitness trackers, and any other electronic device that intentionally transmits and/or emits radio waves for the purposes of communication.

By embedding cyber security measures from the ground up, the commission hopes this will enhance consumer privacy, improve the resilience of communication networks, and reduce the risk of monetary fraud.

Marking a significant step in the EC's legislative procedure, the proposed act was officially adopted on Friday, successfully clearing both the European Council and European Parliament.

The adopted act, which takes the form of a regulation, will undergo a two-month period of scrutinisation before being officially enacted. After this time, manufacturers will be afforded a 30-month transition period during which time they must make changes to comply with the new legal requirements. It will be directly applicable in all member states without the need for transposition into domestic legislation.

Going forward, new wireless devices will need to have features to guarantee the protection of personal data and the protection of children's rights. Devices such as baby monitors will need to implement new, compliant measures that prevent unauthorised access or transmission of personal data.

There are a number of device types that are excluded from the new rules. These include: motor vehicles, electronic road toll systems, equipment to control unmanned aircraft remotely, and non-airborne specific radio equipment that may be installed on aircraft. The EC said the cyber security of these devices is already covered adequately by existing EU legislation.

From a network resilience perspective, devices must also have features that specifically prevent the possibility that the devices could be used to disrupt websites or other services.

Stronger user authentication when it comes to making electronic payments is also stipulated in the new act, with the hope of minimising the risk of fraud.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

"Cyber threats evolve fast; they are increasingly complex and adaptable," said Thierry Breton, commissioner for the internal market. "With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market.”

While the EC said the new requirements will be formulated in general terms as objectives to be achieved, rather than specific protocols or measures to applied in each device, it will launch a standardisation request to the European Standardisation Organisations in order to develop harmonised standards in support of this piece of legislation.

To demonstrate compliance, manufacturers will have a choice of either submitting a self-assessment, or they can rely on a third-party assessment performed by an independent inspection body.

“You want your connected products to be secure. Otherwise how to rely on them for your business or private communication," said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age. "We are now making new legal obligations for safeguarding cybersecurity of electronic devices.”

Some corners of the industry have claimed the introduction of the rules aren't focused on the right areas, saying secure by design principles should be applied to component manufacturers so equipment manufacturers (OEMs) can produce secure devices by default.

“Market dynamics do not allow technology users to influence technology OEMs in this manner," said John Goodacre, director of UKRI’s digital security by design and professor of computer architectures at the University of Manchester. "DCMS Secure by design legislation for the IoT technology manufacturers brings this influence in the same way this legislation suggests for wireless devices.

"It is generally accepted that mobile technologies are revised every 2 to 3 years, however, this is incremental and any fundamental change will be difficult. What needs to happen is the technologies provided to manufacturers (OEMs) are also secured by design so that the OEM can secure their products by default. That’s why the UK government is working through the Digital Security by Design (DSbD) programme with the core technology providers to bring Digital Security by Design into the components used within wireless devices.”

The EU's Radio Equipment Directive comes after President von der Leyen announced in September plans to introduce a Cyber Resilience Act, which will aim to implement measures on a broader set of electronic devices, covering the entirety of their lifecycles.

Making her annual State of the Union speech in the European Parliament back in September, von der Leyen said: "We cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security.

"It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy, including legislation on common standards under a new European Cyber Resilience Act."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

25 Jun 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022