New Cybersecurity Norms for Wireless Device Makers in EUEuropean Commission: Guidelines Aim to Protect Wireless Privacy, Prevent Fraud
The guidelines target the design and production of devices such as mobile phones, tablets and other products capable of communicating over the internet; this includes toys and childcare equipment such as baby monitors, as well as a range of wearable equipment such as smartwatches and fitness trackers.
The directive aims to protect citizen privacy and personal data, prevent monetary fraud risks and ensure better resilience of communication networks, according to the executive branch of the European Union.
"Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt websites' or other services’ functionality. Wireless devices and products will need to have features to guarantee the protection of personal data," the directive notes.
It aims to protect children's rights by ensuring that manufacturers implement measures to prevent unauthorized access or transmission of personal data, the document says. Wireless devices and products sold in the EU, it adds, will also have to ensure minimum risk of fraud when making electronic payments by providing better authentication control to the user.
According to Thierry Breton, commissioner of the internal market at the EC, the directive is a significant step in setting up a common European cybersecurity standard for products and services available in the market.
"Cyberthreats evolve fast; they are increasingly complex and adaptable. With the requirements we are introducing today, we will greatly improve the security of a broad range of products and strengthen our resilience against cyberthreats, in line with our digital ambitions in Europe," he says.
The new directive is expected to complement the Cyber Resilience Act, announced by Ursula von der Leyen, president of the European Commission, in her State of the Union speech. The act seeks to follow up on the actions in the EU Cybersecurity Strategy presented in December 2020.
If the council and Parliament don't raise any objections, the delegated act of the Radio Equipment Directive is set to come into force after a two-month scrutiny period, according to the Oct. 29 statement from the European Commission, which did not specify the start date of the scrutiny period.
Once the act comes into effect, manufacturers will have a 30-month period - until about mid-2024 -to comply with the new requirements, the statement says.
"The commission will also support manufacturers to comply with the new requirements by asking the European Standardization Organizations to develop relevant standards," the document states. "Alternatively, manufacturers will also be able to prove the conformity of their products by ensuring their assessment by relevant notified bodies."
Market dynamics, however, may not allow technology users such influence over the technology of Original Equipment Manufacturers in the manner specified by the directive, says John Goodacre, director of U.K. Research and Innovation's digital security by design and a professor of computer architectures at the University of Manchester.
"The [U.K.] Department for Digital, Culture, Media & Sports' Secure by Design legislation for the IoT technology manufacturers brings influence the same way this [Radio Equipment Directive] suggests. It is generally accepted that mobile technologies are revised every two to three years, but this is incremental and any fundamental change will be difficult," Goodacre says.
The need, he adds, is to secure the technologies provided to manufacturers by design so that the OEMs can secure their products by default.
"That’s why the U.K. government is working through the Digital Security by Design program with core technology providers to bring Digital Security by Design into the components used within wireless devices,” Goodacre says.