[iot-wg] Proposed Updates to EU RED Directive to increase IoT security

Dear Colleagues,

As I mentioned in my presentation to the Working Group during RIPE 77, the European Commission is thinking about updating the Radio Equipment Directive with the aim of improving IoT security.

As a quick refresher, the RED applies to all equipment that has a radio on board. The legislation has a few broadly-defined terms regarding security and safety, which can be filled in on a later date. Last year, a number of member states floated the idea of using this option to increase security for a number of IoT devices, mostly toys and 'smart wearables’, for e.g. smart watches and step-counters.

The European Commission has now opened a four week ‘feedback’ period on what is called an ‘Inception Impact Assessment’. This means the process is at an early stage and not very specific, and they are seeking feedback from stakeholders on their thoughts so far. As expected, the proposal currently does indeed target toys and wearables. Of course, this could change or be expanded later.

Here are the key questions in the Inception document:

- The overall objective of this initiative is to ensure an adequate level of security for internet-connected radio equipment and wearable radio equipment at the moment of placing on the market. 

- The following policy options and their effects for potentially affected parties (e.g. manufacturers, consumers, National Authorities) will be analysed:

	- Option 0, baseline scenario: a situation in which manufacturers are not obliged to implement any specific measures as it is currently the case.

	- Option 1, a situation whereby the industry self-regulates to implement the existing legislation which protects personal data, the confidentiality of telecommunications, security and protection against fraud.

	- Option 2, adoption of a delegated act pursuant Article 3(3)(e). This will require that radio equipment incorporate safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected, also as a tool to enhance the cybersecurity of these products, and this requirement will have to be demonstrated for the purposes of market access.

	- Option 3, adoption of a delegated act pursuant Article 3(3)(f). This will require that radio equipment incorporates certain features ensuring protection from fraud, also as a tool to enhance the cybersecurity of these products, and this requirement will have to be demonstrated for the purposes of market access.

	- Option 4, adoption of a delegated act pursuant both Articles 3(3)(e) and (f). In this case, both requirements in Options 2 and 3 will have to be demonstrated for the purposes of market access.

More information about the process and the Inception Impact Assessment is available from 
https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2018-6426936_en 

The deadline to submit feedback is Monday, 4 March 2019.

This is the very early stage of the development. If a more formal proposal is drafted based on one of these policy options, there will be another 12-week consultation period. At the same time, please be aware that this process could result in a so-called ‘Delegated Act’, which does not require the formal approval of the European Parliament or Council and can come into effect very quickly.

Regards,

Marco Hogewoning
Senior External Relations Officer
RIPE NCC


------------------
Summary
------------------
RED security Inception Impact Assessment Feedback period: 4 weeks ending on 4 March 2019

Possibly followed by a 12 week consultation period