Starting from 1 August 2024, wireless devices placed on the EU market must meet information security requirements harmonised at EU level. This is a major change for manufacturers, who have to take the new requirements into account when designing equipment.
The EU Radio Equipment Directive lays down harmonised requirements for different wireless devices that use the radio spectrum. All wireless devices sold in the EU must meet these requirements, which have now been supplemented with criteria that improve information security.
Wireless devices must meet mandatory information security requirements as from 1 August 2014
The objective of the new information security requirements is to protect communications networks, better protect users’ privacy and prevent monetary fraud committed using internet-connected equipment. In future, equipment and devices will need to have features to protect personal data, among other requirements. The new requirements concern wireless devices that are connected to the internet directly or via other equipment, such as mobile phones, toys, WLAN devices and smart watches. Requirements concerning the protection of personal data and privacy have been set, in particular, for children’s devices, such as toys and childcare equipment, and wearable equipment.
The Regulation supplementing the Radio Equipment Directive provides for a transition period for equipment manufacturers. Wireless devices placed on the market must comply with the new requirements starting from 1 August 2024.
New requirements entail a major change for equipment manufacturers
Cyber security is a sum of its parts. The new EU-level provisions aim at improving information security. The sector-specific Regulation that only applies to wireless devices supports other EU-level measures taken to improve cyber security.
“EU-level requirements lay the foundation for the information security of wireless devices – they define the new normal. Before, information security has been left up to equipment manufacturers, but the game is about to change. This is a major change especially for equipment manufacturers, who will have to invest in the information security of their products much more than at present. Information security requirements should be taken into account already when designing equipment and defining their features. August 2024 will come surprisingly soon, and I hope that all equipment manufacturers will start improving the security of their equipment as quickly as possible. The security requirements set the basic level, and it is always good to try to outdo your rivals,” says Jukka-Pekka Juutinen, director at the National Cyber Security Centre Finland at Traficom.
Additional requirements already set for smartphones
This is not the first time that additional requirements have been set for wireless devices. In 2018, the European Commission adopted a Regulation under the Radio Equipment Directive to improve the positioning of emergency callers when calls are made with smartphones. Smartphones must be able to receive and process Wi-Fi data and data from Global Navigation Satellite Systems. They must be compatible at least with the European Galileo system. The transition period given to equipment manufacturers is about to end, and smartphones placed on the EU market must meet the requirements as from 17 March 2022.
Traficom promotes effective and secure radio communication
The Finnish Transport and Communications Agency Traficom has participated in the drafting of the new legal provisions concerning information security, and will be responsible for monitoring compliance with the requirements as part of its overall market surveillance of wireless devices. The information security requirements supplement the requirements set for wireless devices to prevent interference and give Traficom new means to promote effective and secure radio communication. Alongside market surveillance, Traficom also provides information to consumers and other stakeholders about information security requirements for smart devices and about making safe choices when buying and using smart devices.
Enquiries
Milla Kuokkanen, Senior Specialist, market surveillance of wireless devices, milla.kuokkanen@traficom.fi, tel. +358 29 539 0354
Saana Seppänen, Senior Specialist, information security requirements, saana.seppanen@traficom.fi, tel. +358 29 539 0485
Galileo system: gnss@traficom.fi
For more information on the conformity of radio equipment, please visit Traficom’s website
EU Radio Equipment Directive (External link) (RED, 2014/53/EU) I
Commission Delegated Regulation (External link) (EU) 2022/30 on cyber security requirements
Commission Regulation (External link) (EU) 2019/320 on additional requirements for smartphones
Background
The Finnish Transport and Communications Agency Traficom’s pioneering Cybersecurity Label (External link)
Finland has been a global pioneer in improving the cyber security of smart devices: the Finnish Transport and Communications Agency Traficom introduced the Cybersecurity Label for smart home devices already in 2019. Traficom has also played an active role in drafting the European standard on smart devices, which forms the foundation for the requirements of the Finnish Cybersecurity Label. Cyber security requirements for smart devices have received increasing attention also outside Europe. In the autumn of 2021, Traficom began mutual auditing cooperation with Singapore, and the United States is currently preparing similar requirements for smart devices as those that form the basis for the Cybersecurity Label and the European standard.
The EU is also preparing a separate certification scheme for smart devices. Traficom has worked to influence the EU certification scheme so that products and services that have been granted the Finnish Cybersecurity Label would also meet most of the requirements for the EU certificate. The aim is to make it as easy as possible for Finnish companies to apply for an EU certificate for their products and services.