Productwise Bitesize brings you a short introduction to the Delegated Act to the Radio Equipment Directive on cybersecurity, which aims to increase the level of cybersecurity of wireless devices placed on the EU market.

What is it called?

Delegated Regulation 2022/30 supplementing the EU’s Radio Equipment Directive (the Delegated Act).

What is it about?

The European Commission has identified that certain devices, such as smart appliances, wearable radio equipment and certain connected toys, do not have a sufficient level of cybersecurity and privacy protection, and, as a result, are vulnerable to attacks or theft of personal data. From 1 August 2024, the Delegated Act will require manufacturers of products covered by the Delegated Act to include certain technical features to improve the level of cybersecurity of their products.

Who and what does it apply to?

The requirements apply any radio equipment that can communicate itself over the internet, whether directly or via any other equipment (defined as “Internet-connected radio equipment”). Wearables and toys/childcare articles that are not internet-connected, but emit or receive radio waves, are also in scope of some of the requirements. There are limited exclusions e.g. motor vehicles and medical devices.

The Delegated Act is just one part of the EU’s work on cybersecurity, and will sit alongside other European cybersecurity legislation, including the Cybersecurity Act, which establishes a framework for EU-wide cybersecurity certification schemes, and the proposed Cyber Resilience Act, which aims to establish common cybersecurity standards for connected products and associated services placed on the EU market.

Why does it matter?

The Delegated Act introduces new cybersecurity “essential requirements” under the RED. Manufacturers of products within scope will have to:

  • Network harm: Make sure that the product is not capable of harming the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service. This requirement applies to all “internet-connected radio equipment”, but not wearables and toys/childcare articles that are not internet connected.
  • Data/privacy: Incorporate safeguards to make sure that the personal data and privacy of the user and of the subscriber are protected. This applies to “internet-connected radio equipment” and wearables and toys/childcare articles that are capable of processing personal data or traffic data and location data.
  • Fraud protections: Support certain features ensuring protection from fraud. This applies to “internet-connected radio equipment” that enables the holder or user to transfer money, monetary value or virtual currency, but not wearables and toys/childcare articles that are not internet connected.

Compliance with new essential requirements will need to be demonstrated as part of the conformity assessment process under the RED and EU authorities will be empowered to remove devices that don’t comply from the market.

The essential requirements are formulated in general terms as objectives to be achieved. Harmonised standards will fill in the detail of how products in scope will meet them. Harmonised standards do not currently exist for these new essential requirements and will need to be developed. There is a risk that the standards may not be in place with sufficient lead time when the requirements start to apply. If that is the case, manufacturers may be forced to use a conformity assessment involving a notified body.

Where can I find it?

  • Legislation here
  • Draft standardisation mandate here
  • FAQs here
  • Guidance not yet available

Are there any upcoming changes?

There are no upcoming legislative changes in advance of the Delegated Act starting to apply from 1 August 2024. However, interested parties should closely follow the development of harmonised standards, which are expected to provide details of how products can comply with the new requirements.

Posted by Cooley