Connected devices: EU grants reprieve for higher cybersecurity

A subordinate legal act on the controversial EU directive on radio equipment is now only to take effect a year later than originally planned. Actually, the Delegated Regulation of 2022, with which the EU Commission declares war on data breaches in wireless networked devices such as smartphones and other portable computer systems, should be mandatory from August 1, 2024. But at the end of July, the Brussels government institution decided with an additional regulation to postpone the start date to August 1, 2025.

Advertisement

The original Radio Equipment Directive (RED) act deals with additional regulations based on Article 3(3)d, e and f of the Directive. Accordingly, “radio equipment” in certain categories or classes must be constructed in such a way that they “neither have a harmful effect on the network or its operation” nor cause “misuse of network resources” and thus impair a service disproportionately. They should also protect privacy. They must also include certain “anti-fraud features” such as multi-factor authentication.

The regulations primarily affect networked radio equipment such as mobile phones, laptops, dongles, alarm systems, cameras and home automation systems. According to the Commission, there is a great risk that “they will be hacked and that data protection problems will arise if they are connected to the Internet”. However, “intelligent” toys, which repeatedly attract attention due to safety problems, and childcare devices such as baby monitors are also recorded. The requirements also apply to wearables such as smartwatches and fitness trackers, which monitor and register a range of confidential user data such as location, temperature, blood pressure and heart rate over a longer period of time.

First EU standards for cybersecurity

In order to make it easier for smaller companies to meet the requirements as well, in August 2022 the Commission sent a standardization mandate to the responsible European organizations. The European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (Cenelec) should therefore deliver new harmonized standards for the implementation of the regulation by September 30, 2023. However, due to the tight deadline of around one year, CEN and Cenelec applied to the Commission for an extension of nine months. They pointed to the technical complexity of the matter and the fact that harmonized standards to support EU legislation on cybersecurity of products were being developed for the first time.

The Commission justifies the extension of the deadline in the additional regulation C(2023)4823. However, the lack of harmonized standards makes compliance with the basic requirements of the directive very difficult. Therefore, the relevant organizations should be given “sufficient time to develop high-quality standards”.

The Commission first informed the member states about its proposal, which, according to information from heise online, unanimously endorsed it. It also conducted a public consultation, receiving 45 responses, mostly from industry. The authors of some opinions expressed concern about the current lack of security of wireless devices in the EU and called for the regulations to be implemented as soon as possible. Others suggested pushing back the regulation by more than 12 months.

Advertisement

In view of the shared feedback, the Commission says it has chosen a middle ground “to ensure the smooth functioning of the EU market”. At the same time, she corrected an error in the description of the connection and location data that radio systems can process. The Brussels executive has now sent the text of the additional regulation to the EU Parliament and the Council of Ministers. If there are no objections within two months, the second delegated act will be officially published in the Official Journal and will then enter into force.

According to the authors of a paper published in July by the engineering association IEEE, harmonized standards are now more or less equivalent to the law in the EU due to a number of judgments by the European Court of Justice. As a result, the demands on such plants have increased massively. According to reports, the Commission expects that harmonized standards are “legally secure” and should even include tests that deliver reproducible results. In areas such as cybersecurity in particular, this is difficult to achieve and certainly not conjured up off the cuff.

(dz)

Go to home page
#Connected #devices #grants #reprieve #higher #cybersecurity