Manufacturers forced to improve cyber security of wireless devices under new EU rule

Pedestrian walks outside of the European Commission's building in Brussels, Belgium.
(Image credit: Shutterstock)

The European Commission (EC) has announced plans to introduce new rules requiring device manufacturers to embed tougher cyber security measures when designing new wireless devices.

The amendment to the Radio Equipment Directive (RED) will cover all wireless devices, including mobile phones, smart watches, tablets, fitness trackers, and any other electronic device that intentionally transmits and/or emits radio waves for the purposes of communication.

By embedding cyber security measures from the ground up, the commission hopes this will enhance consumer privacy, improve the resilience of communication networks, and reduce the risk of monetary fraud.

Marking a significant step in the EC's legislative procedure, the proposed act was officially adopted on Friday, successfully clearing both the European Council and European Parliament.

The adopted act, which takes the form of a regulation, will undergo a two-month period of scrutinisation before being officially enacted. After this time, manufacturers will be afforded a 30-month transition period during which time they must make changes to comply with the new legal requirements. It will be directly applicable in all member states without the need for transposition into domestic legislation.

Going forward, new wireless devices will need to have features to guarantee the protection of personal data and the protection of children's rights. Devices such as baby monitors will need to implement new, compliant measures that prevent unauthorised access or transmission of personal data.

There are a number of device types that are excluded from the new rules. These include: motor vehicles, electronic road toll systems, equipment to control unmanned aircraft remotely, and non-airborne specific radio equipment that may be installed on aircraft. The EC said the cyber security of these devices is already covered adequately by existing EU legislation.

From a network resilience perspective, devices must also have features that specifically prevent the possibility that the devices could be used to disrupt websites or other services.

Stronger user authentication when it comes to making electronic payments is also stipulated in the new act, with the hope of minimising the risk of fraud.

RELATED RESOURCE

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

FREE DOWNLOAD

"Cyber threats evolve fast; they are increasingly complex and adaptable," said Thierry Breton, commissioner for the internal market. "With the requirements we are introducing today, we will greatly improve the security of a broad range of products, and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is a significant step in establishing a comprehensive set of common European Cybersecurity standards for the products (including connected objects) and services brought to our market.”

While the EC said the new requirements will be formulated in general terms as objectives to be achieved, rather than specific protocols or measures to applied in each device, it will launch a standardisation request to the European Standardisation Organisations in order to develop harmonised standards in support of this piece of legislation.

To demonstrate compliance, manufacturers will have a choice of either submitting a self-assessment, or they can rely on a third-party assessment performed by an independent inspection body.

“You want your connected products to be secure. Otherwise how to rely on them for your business or private communication," said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age. "We are now making new legal obligations for safeguarding cybersecurity of electronic devices.”

Some corners of the industry have claimed the introduction of the rules aren't focused on the right areas, saying secure by design principles should be applied to component manufacturers so equipment manufacturers (OEMs) can produce secure devices by default.

“Market dynamics do not allow technology users to influence technology OEMs in this manner," said John Goodacre, director of UKRI’s digital security by design and professor of computer architectures at the University of Manchester. "DCMS Secure by design legislation for the IoT technology manufacturers brings this influence in the same way this legislation suggests for wireless devices.

"It is generally accepted that mobile technologies are revised every 2 to 3 years, however, this is incremental and any fundamental change will be difficult. What needs to happen is the technologies provided to manufacturers (OEMs) are also secured by design so that the OEM can secure their products by default. That’s why the UK government is working through the Digital Security by Design (DSbD) programme with the core technology providers to bring Digital Security by Design into the components used within wireless devices.”

The EU's Radio Equipment Directive comes after President von der Leyen announced in September plans to introduce a Cyber Resilience Act, which will aim to implement measures on a broader set of electronic devices, covering the entirety of their lifecycles.

Making her annual State of the Union speech in the European Parliament back in September, von der Leyen said: "We cannot talk about defence without talking about cyber. If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. And we should not just be satisfied to address the cyber threat, but also strive to become a leader in cyber security.

"It should be here in Europe where cyber defence tools are developed. This is why we need a European Cyber Defence Policy, including legislation on common standards under a new European Cyber Resilience Act."

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.