EU mandates minimum cyber security for wireless products

By enforcing minimum cyber security of wireless products, the EU-Commission intends to improve the resilience of the European Union against rapidly increasing cyber-threats. Especially protecting against attacks targeting widely spread but insufficiently protected Internet of Things (IoT) and consumer products.

Why Bureau Veritas – 7layers?

Based on the unique combination of:

• expertise in Radio Equipment Directive testing and involvement in standardization (Bureau Veritas – 7layers)
• combined with expert know-how in cyber security assessments (Bureau Veritas – Secura)
• and authorization as relevant Notified Body (Bureau Veritas – LCIE)

Bureau Veritas is the perfect choice for the following services:

• Consulting about the relevant technical cyber security requirements
• Assessment of conformity e.g. to ETSI EN 303 645
• EU Type Examination Certificate issued by BV-LCIE as notified body

What happened?

On 2021-10-29 the EU-Commission has adopted a Delegated Act, which activates “dormant” Articles regarding cyber security in the Radio Directive (RED).

Who is affected?

Wireless products capable of communicating over the internet such as mobile phones and tablets; toys and childcare equipment such as baby monitors; as well as a range of wearable equipment such as smartwatches or fitness trackers shall comply to this regulation.

Excluded are devices that are already covered in other (harmonized) regulations and directives, such as Medical devices, In-Vitro Diagnostic Medical Devices, Civil aviation including drones and remote control systems, Motor vehicles and components intended for vehicles, Electronic road toll systems.

What’s next:

End of 2021 after a scrutiny period, where EU-Council and EU-Parliament could raise any objections, the delegated act will come into force.
THEN manufacturers CAN start to demonstrate compliance of their products to these new requirements.

By Mid of 2024 after a 30 month transition period the new requirements become mandatory
THEN manufactures MUST demonstrate compliance of their products.

The EU commission is asking European Standardisation Organisations like ETSI and CEN/CENELC to develop harmonized standards.
By participating in the these development activities, we at Bureau Veritas – 7layers are confident that ETSI EN 303 645 will play a key role in standardization.

How to comply:

Declaration of Conformity based on self-assessment is accepted as soon as harmonized Standards are available.

Alternatively and as long as harmonized standards are not available, manufacturers can prove the conformity of their products by ensuring their assessment by relevant notified bodies.

What is it about?

The newly activated Articles of the Radio Equipment Directive intend to:

• Improve network resilience (Article 3.3.d):
  Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
• Better protect consumers’ privacy (Article 3.3.e):
  Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children’s rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
• Reduce the risk of monetary fraud (Article 3.3.f):
  Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.