Questions and Answers: Strengthening cybersecurity of wireless devices and products
Why is the Commission strengthening cybersecurity of wireless devices?
The Commission is concerned that the design of wireless devices sold in the EU does not guarantee a sufficient level of cybersecurity, personal data protection and privacy of their users. In recent years, products have been identified on the EU market that take advantage of a weak level of security of certain categories of wireless devices and are vulnerable to attacks or theft of personal data, or allow recording of children's play.
With the requirements adopted today, manufacturers of wireless devices will now have to include technical features to improve the level of cybersecurity of such devices before placing them on the European market.
What are the specific measures and policy objectives?
The proposed legislation establishes obligations for manufacturers to increase the level of cybersecurity of products placed on the EU market. These obligations are for the benefit of consumers. It will also allow the Member States to take corrective measures in case unsecure products are found on the market.
The Commission's initiative aims to achieve the following objectives:
-
-Make networks more resilient: The equipment will have to incorporate features to avoid their misuse to harm communication networks.
-
-Improve the protection of personal data and consumers' privacy: The equipment will incorporate features to guarantee the protection of personal data and privacy.
-
-Reduce the risk of monetary fraud: The equipment will have to include features to minimise the risk of fraud when the equipment is used to make electronic payments.
What devices are concerned?
Today, wireless equipment is the target of more than 80 % of cybersecurity attacks, compared to wired devices.
This initiative therefore covers certain categories of wireless devices that use radio technology. The decision on which devices are covered has been taken on a risk-based approach and according to the results of a cost-benefit analysis.
In particular, the legislation is applicable to the following equipment:
-
-Devices capable of communicating via the Internet: Examples of such equipment include electronic devices such as smartphones, tablets, electronic, cameras; telecommunication equipment as well as equipment that constitutes the ‘internet of things'. Due to insufficient security, such devices present a risk that third parties can improperly access and share personal data, including for fraud purposes, or that such equipment is misused to harm the network.
-
-Toys and childcare equipment: Toys and baby monitors can be vulnerable to cybersecurity threats that monitor or collect information about children. Therefore, the protection of children's rights constitutes an essential element of this legislation.
-
-Wearables: Devices like smartwatches and fitness trackers are more and more present in our lives and they collect biometric data.
Are there any exemptions?
The legislative act lists categories of products that are excluded from the application of some or all essential requirements.
Motor vehicles, electronic road toll systems, equipment to control unmanned aircraft remotely as well as non-airborne specific radio equipment that may be installed on aircrafts are exempt from the requirements regarding the protection of personal data and protection against fraud. Furthermore, none of the requirements apply to medical and in-vitro medical devices.
Cybersecurity of these categories of products is guaranteed by existing pieces of dedicated EU legislation.
What is the legal tool selected by the Commission?
The Commission has adopted a delegated act under the Radio Equipment Directive (2014/53/EU). The co-legislators empowered it to determine certain essential requirements with respect to specific classes and categories of radio equipment.
This delegated act as well as the Radio Equipment Directive are aligned with the principles of technical harmonisation laid down by the New Legislative Framework (NLF) which is applicable since 2008. It is expected that industry should be able to smoothly implement the new requirements given their familiarity with the overall model.
How will the manufacturers comply with this legislation?
The delegated act imposes essential requirements, formulated in general terms as objectives to be achieved, that are deemed necessary for ensuring an adequate level of cybersecurity, personal data protection and privacy. The manufacturers will have the possibility to choose the specific technical solutions for the implementation of these objectives.
The Commission will launch a standardisation request to the European Standardisation Organisations in order to develop harmonised standards in support of this piece of legislation. The standards will be developed with the participation of industry and will be assessed by the Commission against the essential requirements laid down by the EU legal framework. Once it has been established that the specific technical solutions described in these standards comply with the applicable legal requirements, these standards can provide a presumption of conformity with the delegated act. Concretely, this would imply that to benefit from a presumption that their product complies with the applicable legal requirements, manufacturers have to adopt a given technical solution described in a harmonised standard.
The manufacturers, when performing the conformity assessment procedures before placing their products on the EU market, will have the choice between two possibilities:
-
-Perform a self-assessment, when their product has been designed in accordance with harmonised standards.
-
-Rely on a third-party assessment performed by an independent inspection body, regardless of whether or not a harmonised standard was used.
The delegated act is applicable not only to the European industry, but to any manufacturer that intends to place a product on the EU market.
Will the new obligations be proportionate for industry?
The delegated act only sets out essential requirement. Manufacturers are free to choose the technical specification to comply with the legal requirements. In addition, manufacturers can use harmonised standards, when available. Industry participates actively in the development of those standards. Furthermore, manufacturers can select the conformity assessment procedure. In particular, when harmonised standards have been published, manufacturers can self-assess compliance of their products, without having the need to involve third-party assessment bodies.
With respect to SMEs, the requirements are not higher than for other types of enterprises. In particular, EU SMEs in the electronics sector are typically assemblers of components. Consequently, SMEs integrating components (e.g. wireless chipsets) from different suppliers can hence rely on the demonstrated security in the value chain and would be expected to have the capacities of preserving the demonstrated security when assembling different components. This approach has the benefit of proportionally assigning the needed compliance tests and hence the costs to the relevant manufacturers, limiting the burden on the assemblers.
What are the next steps and when will the new requirements start applying?
After the Commission's adoption, the European Parliament and the Council will have two months to scrutinise the proposal. If no objection is raised, the delegated act will be published in the OJEU and a 30 months transitional period will start for the manufacturer to smoothly adapt to it. This period strikes the right balance between the need to increase the current level of cybersecurity and respecting the timeline of the industrial process.
What will happen with old devices?
The delegated act will apply to all devices placed on the market once it becomes applicable. Old devices, which have already been placed on the EU market, can continue to be used without the need for specific adaptations until the end of their life cycle.
What will be the role of the Member States?
The delegated act, which takes the form of a Regulation, is directly applicable in all Member States, without the need for transposition into national legislation.
Member States are responsible for market surveillance. In line with the Radio Equipment Directive, each Member State set up a national Market Surveillance Authority, which ensures that only safe and compliant products are placed on the market. These national Market Surveillance authorities will also have to ensure that all such products comply with the new requirements. The Market Surveillance Authorities can for instance require information from economic operators, adopt restrictive measures such as sales bans or recalls or impose sanctions. The Market Surveillance Authorities across the EU exchange information and cooperate in a dedicated network, coordinated by the Commission.
President von der Leyen announced a Cyber Resilience Act in her 2021 State of the Union speech. What will be the relationship of both legislations?
The delegated act under the Radio Equipment Directive constitutes a significant step towards increasing the level of cybersecurity of wireless devices that are widely used by consumers. It will be completed with the future Cyber Resilience Act, which would aim to cover more products, looking at their whole life cycle. The initiative was announced in the EU Cybersecurity Strategy presented in December 2020.
While the exact content and scope of the announced Cyber Resilience Act is currently still being discussed, the Commission will ensure that all the relevant EU frameworks concerning cybersecurity aspects would be coherent and complementary.