Networked devices: Higher security requirements will take effect in August 2025

Networked devices that have a wireless interface such as Bluetooth or Wi-Fi will soon be subject to stricter IT security and data protection requirements in the European Economic Area (EEA). From August 1, 2025, a CE mark must make it clear that the smartphones, wearables, and other wireless devices concerned also meet basic requirements for the protection of networks, privacy and against fraud. Otherwise, sale in the EEA is not permitted.

The requirements result from a subordinate legal act to the controversial EU Radio Equipment Directive (RED). The delegated regulation from 2022, with which the EU Commission is declaring war on data breaches in wirelessly networked devices, should actually have been in force since August 1, 2024. However, in July last year, the EU Commission adopted a supplementary regulation that sets August 1, 2025, as the deadline. The reason: the responsible standardization institutes CEN and Cenelec needed more time.

The standardization process has now been completed and the harmonized standards EN 18031-1/- 2/-3 were published in the EU Official Journal at the end of last week. This clarifies that the later start date can be met, and the implementation deadline is running. The standards specify the binding regulations and define test criteria, which should simplify proof of conformity. This should also make it easier for smaller companies to comply with the requirements.

Barriers to the presumption of conformity

In terms of content, the standards cover, among other things, the protection of confidential communication and the existence of an update mechanism. However, they only fulfill the presumption of conformity with restrictions. Restrictions relate in particular to the mandatory setting of user passwords and the guarantee of access control by parents or guardians for toys. Devices that enable financial transactions are also excluded.

The German Federal Office for Information Security (BSI) was also involved in the development of the standards. The BSI emphasizes that those responsible for the standards can test their products themselves using transparent requirements and test criteria. The competent authority for market surveillance in accordance with the Radio Equipment Directive (RED) – in Germany is the Federal Network Agency – which then only checks compliance with the requirements. Without standards, proof of conformity would only have been possible through a notified testing body.

According to decisions by the European Court of Justice (ECJ), harmonized standards have more or less the force of law. As a result, expectations of such specifications have increased. According to the regulation derived from the RED, radio equipment in certain categories or classes must be designed in such a way that it does not have “harmful effects on the network or its operation” or cause “misuse of network resources” and thus disproportionately affect services. “Fraud protection functions” such as multifactor authentication should be implementable.

EU Commission plans further step

The Cyber Resilience Act (CRA), which comes into force at the end of 2024, will impose even stricter requirements on device manufacturers. From December 2027, products “with digital elements” such as software may only be placed on the market in the EU if they comply with more stringent minimum IT security requirements. As a rule, they will then have to be supplied with security updates for at least five years. Manufacturers are required to take responsibility for the IT security of their products and applications throughout their entire life cycle (security by design).

A new Commission plan goes one step further. E-commerce platforms such as Temu, Shein, Amazon Marketplace or Alibaba are to be held liable for the online sale of dangerous or illegal products, writes the Financial Times. A customs reform is planned that would oblige operators of digital marketplaces to provide comprehensive data before goods arrive in the EU. The responsible officials – coordinated by a European Customs Authority (EUCA) – would be able to better control and check parcels.

The duty-free limit for deliveries of less than 150 euros is to be abolished. The Commission wants to take action against the flood of parcels, particularly from China, which contain unsafe products or counterfeits. The German government's e-commerce action plan contains partly similar measures.

(ds)