New times for IoT in Europe: EU introduces new requirements for notoriously insecure electronics

Illustration: Ingeniøren

In two and a half years, all companies selling IoT products on the European market will have to comply with new rules from the European Commission, whose aim is to create more order in the Wild West of digitalisation—the Internet of Things.

Namely, the Commission is trying to elaborate on the so-called Radio Equipment Directive with a delegated act to tighten the requirements for IoT products on the European market.

The EU itself mentions smartphones, tablets, electronic cameras, telecommunications equipment in general as well as children’s toys that communicate with the Internet. As the European Commission itself puts it in its press release:

“The Commission is concerned that the design of wireless devices sold in the EU does not guarantee a sufficient level of cybersecurity, personal data protection and privacy of their users. In recent years, products have been identified on the EU market that take advantage of a weak level of security of certain categories of wireless devices and are vulnerable to attacks or theft of personal data, or allow recording of children’s play.”

Final requirements are still in progress

The European Parliament and the Council now have two months to raise objections—and then the companies that want to sell IoT products on the European market have 30 months to comply with the new rules.

It is not yet known how exactly they will look, because the EU has only now asked the European Standardization Organizations (ESO) to draw up the specific standards that companies must finally meet. Version2 will follow up on the specific technical requirements once they are implemented.

“The delegated act is applicable not only to the European industry, but to any manufacturer that intends to place a product on the EU market,” the Commission wrote in the press release.

Old products may remain on the market

A crucial point is that old products that do not meet the new requirements after those 30 months can continue to be used without being re-certified within their life cycle.

In practice, this means that many IoT devices that would not be able to pass a legal stress test in mid-2024 could still be used long after if they have a long life cycle.

The individual countries will be the ones monitoring the market. It is still unknown which authority will be responsible for that task in Denmark, but Version2 will follow up on it once the delegated act is finally implemented.