The European Commission (EC) has announced plans to introduce new rules requiring device manufacturers to embed tougher cyber security measures when designing new wireless devices.
The amendment to the Radio Equipment Directive (RED) will cover all wireless devices, including mobile phones, smart watches, tablets, fitness trackers, and any other electronic device that intentionally transmits and/or emits radio waves for the purposes of communication.
Marking a significant step in the EC's legislative procedure, the proposed act was officially adopted on Friday, successfully clearing both the European Council and European Parliament.
The adopted act, which takes the form of a regulation, will undergo a two-month period of scrutinisation before being officially enacted. After this time, manufacturers will be afforded a 30-month transition period during which time they must make changes to comply with the new legal requirements. It will be directly applicable in all member states without the need for transposition into domestic legislation.
Going forward, new wireless devices will need to have features to guarantee the protection of personal data and the protection of children's rights. Devices such as baby monitors will need to implement new, compliant measures that prevent unauthorised access or transmission of personal data.
There are a number of device types that are excluded from the new rules. These include: motor vehicles, electronic road toll systems, equipment to control unmanned aircraft remotely, and non-airborne specific radio equipment that may be installed on aircraft. The EC said the cyber security of these devices is already covered adequately by existing EU legislation.
From a network resilience perspective, devices must also have features that specifically prevent the possibility that the devices could be used to disrupt websites or other services
Stronger user authentication when it comes to making electronic payments is also stipulated in the new act, with the hope of minimising the risk of fraud.
While the EC said the new requirements will be formulated in general terms as objectives to be achieved, rather than specific protocols or measures to applied in each device, it will launch a standardisation request to the European Standardisation Organisations in order to develop harmonised standards in support of this piece of legislation.
To demonstrate compliance, manufacturers will have a choice of either submitting a self-assessment, or they can rely on a third-party assessment performed by an independent body.
Some corners of the industry have claimed the introduction of the rules aren't focused on the right areas, saying secure by design principles should be applied to component manufacturers so equipment manufacturers (OEMs) can produce secure devices by default. However “Market dynamics do not allow technology users to influence technology OEMs in this manner,"
"DCMS Secure by design legislation for the IoT technology manufacturers brings this influence in the same way this legislation suggests for wireless devices.
"It is generally accepted that mobile technologies are revised every 2 to 3 years, however, this is incremental and any fundamental change will be difficult. What needs to happen is the technologies provided to manufacturers (OEMs) are also secured by design so that the OEM can secure their products by default. That’s why the UK government is working through the Digital Security by Design program with the core technology providers to bring Digital Security by Design into the components used within wireless devices.”