We are supported by readers, when you click & purchase through links on our site we earn affiliate commission. Learn more.

RED: Higher security requirements in the EU for networked devices such as cell phones

The EU Commission wants to better prevent data breaches in wirelessly networked devices. To this end, it has issued regulations on compliance with the controversial directive on radio equipment through a “delegated”, subordinate legal act. These are intended to ensure that the newly recorded categories of relevant devices meet specific cybersecurity requirements before they are launched in the EU.

In which Legal act on the so-called Radio Equipment Directive (RED) concerns Articles 3 (3) d, e and f. Accordingly, radio systems must be constructed in certain categories or classes in such a way that they “neither have harmful effects on the network or its operation” nor “misuse Network resources “and thus unacceptably affect a service. They should also have security devices “which ensure that personal data and the privacy of the user and the participant are protected”. They must also be able to implement certain “fraud protection functions”.

The Commission is now defining new classes of equipment that fall under these clauses. According to the delegated regulation, these are primarily networked radio systems such as cell phones, laptops, dongles, alarm systems, cameras and home automation systems. These are at great risk “that they will be hacked and that data protection problems will arise when they are connected to the Internet”. Also included are, for example, “intelligent” toys, with which there are always security problems, and child care devices such as baby monitors.

In addition, wearables such as smartwatches and fitness trackers could “monitor and register” a range of sensitive user data such as location, temperature, blood pressure and heart rate over a longer period of time, writes the Brussels government institution. This information would then partly not only be transferred via the Internet, but also via insecure communication technologies for the local area. The manufacturers of such products therefore also meet the increased requirements.

Motor vehicles, electronic toll systems, devices for the remote control of unmanned aircraft and non-on-board radio devices that can be installed in aircraft are exempt from the requirements for the protection of privacy and fraud. Their cybersecurity is already guaranteed by existing special EU legislation, the Commission explains. For the same reason, none of the requirements apply to medical devices.

Here, the legal act goes into great detail: implants should generally not be considered portable radio systems, “since they are neither worn, strapped or fastened to the body nor to clothing”. On the other hand, the implanted devices would be recorded “if they are themselves able to communicate via the Internet, regardless of whether they are in contact with the outside world directly or via another device”.

The main aim of the initiative is to strengthen the “ecosystem of trust” that “arises from the synergies of all related EU legislation on the protection of the internet, privacy and fraud”. The manufacturers now with included radio systems would therefore have to prevent unauthorized access to or transmission of personal data. In order to secure electronic payments, a better control for the authentication of the users is necessary.

To home page