EU wants to curb cybercrime through 'smart' consumer electronics

Thermostats, doorbells, security cameras and other 'smart' products that do not meet minimum cybersecurity requirements are expected to be banned from the European market from 2024. This is the result of new EU legislation that was recently adopted, aiming to ensure that European consumers are better protected against cybercrime via web connected electronics.

The new legislation is laid down in a so-called 'Delegated Act', an extension of the Radio Equipment Directive (RED) (2014/53/EU), the European legislation for radio and other broadcasting equipment. This Delegated Act stipulates that products intended for the European market must comply with Articles 3.3 d, e and f of the RED. With this new legislation the EU wants to:

• Improve network security: Wireless products must include features that prevent communication networks from being damaged and disrupt the functionality of websites or other services.
• Better protect consumer privacy: Wireless products must have features that ensure the protection of personal data (particularly that of children). Manufacturers must take measures to prevent unauthorised access to or transfer of personal data.
• Reduce the risk of financial fraud: Wireless products must include features to minimise the risk of fraud in electronic payments, for example better authentication checks to prevent fraudulent payments.

Transition period

The new legislation provides for a transition period of 30 months. This enables manufacturers and other industry parties to adapt relevant products. Before the transition period starts, there is a further two-month scrutiny period during which the European Council and the European Parliament can still object. Basically all IoT equipment that will be on the market in the EU from mid-2024, should comply with the new regulations.

Demonstrate compliance

Conformity assessment standards have yet to be harmonised. However, manufacturers who want to move forward can demonstrate the conformity of their products by having them assessed by independent testing, inspection and certification bodies. A product can comply to Articles 3.3 d, e and f of the RED by the ETSI EN 303 645 or IEC 62443 -4 -2 standards.

Kiwa has already performed conformity assessments according to the new legislation on several IoT products. We have equipped a state of the art cybersecurity testing laboratory, so that IoT Consumer Electronics as well as industrial IoT components can be tested effectively and efficiently to proof compliance to articles 3.3 d, e and f of the RED.

More information

For more information on IoT product testing, please check our product page on ETSI EN 303 645: security of IoT consumer electronics.