Cybersecurity safeguards introduced for wireless devices sold in Europe

The delegated act to the 2014 Radio Equipment Directive (15 page / 466KB PDF) sets out new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account in the design and production of the affected products. The legislation will also protect citizens' privacy and personal data and prevent the risks of monetary fraud, as well as ensuring better resilience of communication networks.

The rules follow an impact assessment on the increased protection of wireless devices, which was published last year.

Cyber law expert Sari van Grondelle of Pinsent Masons, the law firm behind Out-Law, said: “The introduction of these new legal obligations will have a massive impact on the production of all kinds of products, as many products today are connected to the internet. Moreover, non-EU manufacturers are also affected by these new rules and will have to make sure their products comply with the new rules or run the risk of not being able to put their products on the EU market.”

The delegated act includes three key aims: improving network resilience; better protecting consumers’ privacy; and reducing the risk of monetary fraud.

The European Commission said wireless devices would now have to incorporate features to avoid harming communication networks, and prevent the possibility that the devices are used to disrupt website or other services functionality.

They will have to include features to guarantee the protection of personal data, with the protection of children’s rights highlighted as an essential element of the legislation. Manufacturers of wireless devices will have to implement new measures to prevent unauthorised access or transmission of personal data.

Devices will also now have to include features to minimise the risk of fraud when making electronic payments, such as better authentication of the user.

The rules will apply to a wide variety of devices placed on the market once the delegated act is applicable, including any device capable of connecting to the internet such as mobile phones, tablets, cameras, and equipment that is part of the ‘internet of things’ such as virtual assistants. Toys and childcare equipment like baby monitors are also covered by the legislation, along with wearable devices including smartwatches and fitness monitors.

Manufacturers will be able to choose their own technical solutions to achieve the aims of the legislation, although the commission will ask European standardisation organisations to develop harmonised standards in support of the rules.

However, motor vehicles, remote unmanned aircraft equipment, and non-airborne specific radio equipment for aircraft are exempt from the requirements regarding the protection of personal data and protection against fraud. Medical devices are not covered by the legislation.

The commission said the cybersecurity of these exempt devices was already guaranteed by existing pieces of EU legislation.

The European Parliament now has two months to scrutinise the proposal. If there is no objection, the delegated act will be published and manufacturers will have 30 months to adapt to the new landscape.