European Commission Adopts Delegated Regulation to Strengthen Cybersecurity of Radio Equipment
Recently, the European Commission adopted a Delegated Regulation, supplementing the Radio Equipment Directive 2014/52/EU and consequently activating Articles 3(3)(d), (e) and (f) of the Directive for certain categories of radio equipment. This mandatory requirement was enacted in order to increase the level of cybersecurity, personal data protection, and privacy of wireless device users throughout the European Union’s member countries.
The decision comes after the Commission became aware of concerns regarding the design of wireless devices sold in the EU which have historically been vulnerable to cyber-attacks and theft of personal data. These studies have revealed the risk that a variety of wireless devices including wearables, children’s toys, and monitoring equipment pose on a regular basis throughout the EU.
Now, thanks to the Delegated Regulation, radio equipment and wireless device manufacturers will be required to include technical features which will improve the level of cybersecurity of devices within the European market.
Manufacturers of the following equipment will be affected as outlined in Articles 1, 2, and 3 of the Commission Delegated Regulation:
- Internet-connected and telecommunication devices: Third-party access allows for improper access to personal data, which can result in fraud and other harmful activities from the Internet of Things.
- Wearables: Smart watches and fitness trackers can collect biometric data, which can be used to target users.
- Childcare equipment and toys: Devices such as baby monitors and wirelessly connected can improperly monitor and collect information about the children who utilize them.
These new federal requirements offer manufacturers two potential possibilities for performing conformity assessments before going to market:
- Self-Assessment: Manufacturers can perform a self-assessment once their product has complied with these harmonized standards.
- Third-Party Assessment: Work with a Notified Body to ensure compliance with these harmonized standards.
The delegated act will apply to all devices placed on the EU market, regardless of where the manufacturer is located.
After the Commission’s adoption, the European Parliament and Council has two months to review the proposal. If no objections are made, the delegated act will be published in the Official Journal of the European Union (OJEU), and all regulations will enter into force on the twentieth day.
Following its entry, manufacturers will be given a transitionary period of 30 months to ensure compliance with the new legal requirements. This will provide the industry with sufficient time to adapt relevant products before the new requirements become applicable, expected as of mid-2024.
The Commission will also ask the European Standardization Organizations to develop relevant standards for assessment to the new requirements so that manufacturers can assess their products in accordance with these relevant standards. Manufacturers will also be able to prove conformity by working with a Notified Body for assessment.
Manufacturers of radio products that are within the scope of the regulation need to meet Articles 3(3)(d), (e), and (f) of the EU Radio Equipment Directive. Products that do not conform to the regulation and are not assessed as such, cannot be deemed compliant and cannot be placed on the market in Europe once the regulation is in force. Penalties and fines can be applied.
This effort to strengthen the cybersecurity of wireless devices seeks to make networks more resilient, as well as improve the protection of both personal data and consumer privacy. If successful, this initiative will also reduce the ever-increasing risk of monetary fraud.
How Nemko Can Help
The consequences for not complying with this Delegated Regulation will be substantial, which is why many international manufacturers have turned to a third-party notified body like Nemko to ensure their products are complying with all requirements. Nemko can test connected systems and devices in accordance with the requirements and best practices outlined in key standards such as ETSI/EN 303 645. Nemko has also developed specific testing and approval services expressly designed for the unique cybersecurity threats targeted within IoT technologies.
In addition to these services, Nemko can also provide testing and certification services in accordance with the internationally recognized Common Criteria scheme and can provide EU Notified Body Type Examination Certification and UK Approved Body Type Examination Certification for all radio products within scope.
Partnering with Nemko can provide your organization with several important advantages in your efforts to address the challenges of today's cyber security landscape. With thirty locations across six continents, Nemko is well-positioned to support your efforts to achieve global market access for your products, regardless of the location or target market. Send us an email at firstname.lastname@example.org to get started, today.
Vina is located in Nemko’s US office and she is responsible for Nemko’s Telecommunications Certification Body programs. Vina has a proven track record of successfully implementing and managing certification programs with over 18 years of experience from R&D/engineering, compliance testing and certification to...