EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices
The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices.
The new standards, which are currently scheduled to enter into effect by mid-2024, were adopted following a delegated act to the Radio Equipment Directive (RED), a piece of 2014 EU legislation that acts as the regulatory framework that equipment vendors must follow in order to sell electronic equipment on the EU market.
The delegated act, which is a bureaucratic mechanism used by the European Commission to tell EU bodies to update legislation, lists three new security measures that device makers must incorporate in the design of their products in order to be allowed to sell products in the EU. These include:
- Improve network resilience: Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
- Better protect consumers’ privacy: Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children’s rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
- Reduce the risk of monetary fraud: Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
New standards expected to enter into effect by mid-2024
“The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections,” the European Commission said on Friday, explaining the next steps in the regulatory process of updating the RED.
“Following the entry into force, manufacturers will have a transition period of 30 months to start complying with the new legal requirements. This will provide the industry with sufficient time to adapt relevant products before the new requirements become applicable, expected as of mid-2024,” it added.
As part of this process, the Commission said it would also ask the European Standardisation Organisations to develop new standards that incorporate the new RED measures, so vendors have a firm grasp of what is expected from them.
While the new measures are pretty vague, the EU will most likely use this RED update to force equipment vendors to ship devices with unique passwords instead of one-for-all default passwords, devices that use encrypted communications, or devices that encrypt local data, something that EU authorities have suggested in the past.