Euralarm, the European association of the fire safety and security industry, has commented on the upcoming delegated act (DA) for internet-connected and wearable radio equipment, as part of the Radio Equipment Directive.
The comments and proposals are given in view of the activation of the delegated act pursuant to article 3(3) of the RED (d, e and f) and cover the scope of the delegated act, the definition of ‘internet-connected devices’ and the implementation period.
Relevant technical aspects addressing cyber security
While Euralarm supports the need for increased cyber security, the fire and security industry will preferably support a horizontal cyber security regulation. Nevertheless, if embedded in the RED, Euralarm wants to ensure that the technical aspects addressing cyber security are relevant for wireless fire safety and security equipment, and can work for manufacturers and service providers.
The idea is to include the cyber security requirements through a delegated act on internet-connected and wearable radio equipment. Such an act is a legally binding act that enables the Commission to supplement or amend non‑essential parts of EU legislative acts, for example, to define detailed measures.
Scope of DA limited to ‘internet-connected devices’
Euralarm believes that the scope of the DA should be limited to the ‘consumer internet-connected devices’
Since the essential requirements of the delegated act have been triggered by cases involving toys and other consumer devices, Euralarm believes that the scope of the DA (delegated act) should be limited to the ‘consumer internet-connected devices’.
Article 3(3) (d) of the RED states, “Radio equipment does not harm the network or its functioning, nor does it misuse network resources, so as to cause an unacceptable degradation of service." The term ‘network’ is not defined in the RED. Applying Art 3(3) (d) to internet-connected devices would create a deviating understanding of network, instead of radio communication network, it is enlarged to the ‘internet’.
Ensuring users' privacy and data security
According to Euralarm, it is therefore, sufficient to enforce Art 3(3) (e) and (f) to ensure that personal data and privacy of the user and subscriber are protected, and that the equipment is protected from fraud. This will also reduce the risk of inconsistent and overlapping requirements.
As far as the definition of ‘internet-connected devices’ is concerned, Euralarm believes that a clear definition is crucial for the correct application of this delegated act and that, therefore, the concept of ‘directly or indirectly’ shall be avoided.
Defining ‘consumer internet-connected device’
Since ‘internet’ is not used nor is it defined in RED, Euralarm also proposes to re-formulate this definition to cover radio equipment connected by using any internet protocol. This specifically covers those devices that could potentially present cyber security risks.
The definition of a consumer internet-connected device that Euralarm proposes is “Any radio equipment, falling within the scope of Directive 2014/53/EU, which is capable to be connected to internet by using any internet protocol and intended to be put into service by a consumer or any other end-user.”
Proposed transition period of five years
As far as the date of application is concerned, Euralarm proposes a transition period of five years, before the requirements of the delegated act become mandatory. This allows enough time for a harmonised standard to become available and cited, and for manufacturers to finalise their product design and demonstrate the compliance.