Providers of IoT Devices Have 2.5 Years to Implement Stricter Security and Privacy Requirements to Keep Access to the EU Market

Providers of ‘Internet of Things’ (IoT) devices recently woke up to the reality that, with one simple strike from the European Commission (EC), their products went from largely unregulated to being brought under full EU market control.

Using its delegated powers under existing EU regulations for radio equipment (therefore avoiding EU regulatory co-decision procedures), the EC brought IoT within scope, leaving IoT providers 2.5 years to adapt their products to comply with strict cybersecurity, privacy, and fraud prevention requirements in order to keep EU market access. EU market surveillance authorities will be able to take corrective action, order recalls, and withdraw products for non-compliance.   

What is at stake?

In 2017, headline news was that the ‘smart’ children’s doll My Friend Cayla, was so lacking in security that hackers could actually talk to children, record conversations, and determine their location. The German government recommended destroying the dolls (but preferably not in the presence of the children). Many similar hacks of smart devices have followed, including smart washing machines and remote car keys, and the proliferation of IoT security vulnerabilities is well-documented. Where radio equipment, including televisions, radios, and mobile phones are regulated, IoT devices fell out of scope. Instead of drafting new regulations, the EC took a clever shortcut, avoiding the EU regulatory co-decision procedure.

In October 2021, the EC adopted a delegated act to the Radio Equipment Directive 2014/53/EU (RED), bringing IoT devices within its scope.

The delegated act, which will be directly applicable in all Member States, will come into force after a two-month scrutiny period by the European Council and Parliament, which will then be followed by a thirty-month transition period. Accordingly, the new requirements will not affect products sold in the EU before this time. However, in the future, as a pre-condition for EU market access, manufacturers will need to design products which integrate minimum cybersecurity, privacy, and fraud prevention requirements.

What is the existing framework?

The RED established the regulatory framework for placing radio equipment on the EU market. It covers electrical and electronic equipment that can use the radio spectrum for communication and/or radio determination purposes, including, for example, televisions, radios, mobile phones, Wi-Fi, Bluetooth, and GPS products.

It requires manufacturers, importers and distributors of radio equipment placed on the EU market to comply with essential design and manufacturing requirements for health and safety, electromagnetic compatibility, and in relation to the effective and efficient use of the radio spectrum. 

It also provides the basis for the further regulation governing network protection (Article 3(3)(d) RED), safeguards for the protection of privacy and personal data (Article 3(3)(e) RED), and fraud prevention (Article 3(3)(f) RED) set out below.

What is the scope of the new requirements?

The delegated act is applicable not only to the European industry, but to any manufacturer that intends to place a product on the EU market.

In summary, the delegated act provides that Article 3(3)(d), (e), and (f) RED shall now apply to “internet-connected radio equipment” (as defined in Article 1 RED) which, subject to limited exclusions, must:

(i) not harm the network or its functioning or misuse network resources, thereby causing an unacceptable degradation of service (Article 3(3)(d) RED);

(ii) incorporate safeguards to ensure that the personal data and privacy of the users and subscribers are protected (Article 3(3)(e) RED); and

(iii) support certain features ensuring protection from fraud (Article 3(3)(f) RED).

In addition, with limited exceptions, whether internet-connected or not, (a) “wearable radio equipment”, (b) toys which are also radio equipment, and (c) radio equipment for childcare must also incorporate safeguards to ensure that the personal data and privacy of the users and subscribers are protected (Article 3(3)(e) RED).

What is expected to be required of organisations in future?

Although the delegated act does not set out technical measures to mitigate cybersecurity threats, it establishes essential requirements that must be followed in relation to the design and manufacture of certain radio equipment.

Manufacturers will therefore have the flexibility to determine the specific technical solutions for the implementation of these objectives.  However, the EC is expected to launch a standardisation request to the European Standardisation Organisations to develop harmonised standards in support of the new requirements.

The standards will be developed with industry participation and assessed by the EC against the essential requirements laid down by the legislation. Once established, these standards will provide a presumption of conformity with the delegated act. 

In any event, before placing their products on the EU market, manufacturers will have to assess conformity either by (a) performing a self-assessment (when a product has been designed in accordance with harmonised standards), or (b) relying on an independent third-party assessment body (regardless of whether or not a harmonised standard was used).

We are grateful to Sakshi Rai, trainee solicitor, for her contribution.