Smart watches

Europe boosts cybersecurity on cellphones, smartwatches and other wireless devices

The European Commission has announced the adoption of the Radio Equipment Directive Delegated Act which aims to ensure a higher level of cybersecurity, personal data protection and privacy for wireless devices available on the European market.

As cellphones, smartwatches, fitness trackers and wireless toys are increasingly present in our daily lives, cyber threats pose a growing risk to every consumer. The Radio Equipment Directive Delegated Act adopted today aims to ensure that all wireless devices are safe before they are sold on the EU market. This law sets new legal requirements for cybersecurity guarantees, which manufacturers will have to take into account in the design and production of the products concerned. It will also protect the privacy and personal data of citizens, prevent the risk of monetary fraud and ensure better resilience of our communication networks.

Margrethe Vestager, Executive Vice President for a Europe Fit for the Digital Age, said: “You want your connected products to be secure. Otherwise how can you trust them for your professional or private communication? We are now establishing new legal obligations to protect the cybersecurity of electronic devices.

Thierry Breton, Commissioner for the Internal Market, said: “Cyber ​​threats are evolving rapidly; they are increasingly complex and adaptable. With the requirements we are introducing today, we will significantly improve the security of a wide range of products and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe. This is an important step in establishing a comprehensive set of common European cybersecurity standards for products (including connected objects) and services placed on our market.

The measures proposed today will cover wireless devices such as mobile phones, tablets and other products capable of communicating over the Internet; toys and childcare equipment such as baby monitors; as well as a range of wearables such as smartwatches or fitness trackers.

The new measures will contribute to:

  • Improve network resiliency: Wireless devices and products shall incorporate functionality to prevent damage to communication networks and prevent the possibility of devices being used to disrupt website functionality or other services.
  • Better protect consumer privacy: Wireless devices and products will need to have features that ensure the protection of personal data. The protection of children’s rights will become an essential part of this legislation. For example, manufacturers will need to implement new measures to prevent unauthorized access or transmission of personal data.
  • Reduce the risk of monetary fraud: Wireless devices and products will need to include features to minimize the risk of fraud when making electronic payments. For example, they will have to ensure better control of user authentication in order to avoid fraudulent payments.
  • The delegated act will be complemented by a law on cyber resilience, recently announced by President von der Leyen in the State of the Union address, which would aim to cover more products, looking at their entire life cycle. Today’s proposal as well as the forthcoming Cyber ​​Resilience Law follow actions announced in the new EU Cybersecurity Strategy presented in December 2020.

Next steps
The delegated act will enter into force after a two-month review period, if the Council and the Parliament raise no objections.

After entry into force, manufacturers will have a transition period of 30 months to start complying with the new legal requirements. This will give the industry enough time to adapt the affected products before the new requirements become applicable, which is expected from mid-2024.

The Commission will also help manufacturers to comply with the new requirements by asking the European standardization bodies to develop relevant standards. Alternatively, manufacturers will also be able to prove the conformity of their products by ensuring their assessment by the competent notified bodies.