Impact assessment paves the way for cybersecurity requirements for radio equipment

The European Commission published the impact assessment study report on inter-connected radio equipment and wearable radio equipment.

Advertisement

The study analyses different policy options aimed at strengthening safeguards for internet-connected and wearable radio equipment, regarding data protection and protection from fraud. The study looked at whether the European Commission should activate regulatory measures - such as delegated acts under the Radio Equipment Directive 2014/53/EU - either for article 3(3)(e), 3(3)(f) or both.

Specifically, the following five policy options have been analysed:

• Option 0 (status quo, default option) based on existing EU legislation (e.g. GDPR, e-Privacy Directive, forthcoming e-Privacy Regulation)

• Option 1 – A voluntary approach with two sub-options: 

  • Option 1.1 – Voluntary approach, such as industry self-regulation, and national governments promoting awareness of consumer IoT security

  • Option 1.2 – Voluntary measures to support the implementation of a regulatory approach. Non-mandatory accompanying measures, e.g. awareness-raising measures, development of (voluntary) sectoral codes of practice on data protection and privacy (e.g. Art. 40 / 41 of the GDPR)

• Option 2 – Adoption of a delegated act based on Article 3(3)(e) - safeguards to ensure data protection and privacy of users and subscribers

• Option 3 – Adoption of a delegated act based on Article 3(3)(f) - ensuring protection from fraud

• Option 4 – Adoption of two delegated acts based on Articles 3(3)(e) and 3(3)(f)

• Option 5 – Horizontal approach - development of a mandatory Cybersecurity Act

The consultant considers Option 4 as the most effective option to address existing regulatory gaps and make an explicit link between product safety and security (data protection and privacy and protection from fraud).

In 2019, CECE members have answered the public consultation that supported the impact assessment study report. Our members agree that the resilience of Internet-connected radio equipment to cyber-attacks should be addressed in a consistent way in Europe, without creating overlapping and potentially contradicting existing legislation, including the recently adopted European Cybersecurity Act or the General Data Protection Regulation (GDPR).

Addressing cybersecurity requirements in a Delegated Act under the RED would be limited to a subset of products and cybersecurity requirements. A vertical approach to cybersecurity requirements in product legislation risks creating inconsistent, patchy and overlapping cybersecurity requirements for manufacturers in Europe, causing legal uncertainty.

The full impact assessment study report and annexes are available in the EC’s website.