The Commission of the European Union (EU) is taking steps to specifically include the cybersecurity of internet-connected equipment under the scope of its Radio Equipment Directive (2014/53/EU, also known as RED).
Under the terms detailed in a preliminary draft of a Commission Delegated Regulation published at the end of October, the essential requirements set out in Article 3(3) of the RED will be applicable to “any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment.”
While the RED’s essential requirements will apply to most types of internet-connected radio equipment, equipment and devices specifically called out in the draft Delegated Regulation include:
- Radio equipment designed or intended exclusively for childcare;
- Radio equipment covered under the scope of the EU’s Directive on the Safety of Toys (2009/48/EC);
- Radio equipment designed or intended to be worn, strapped to, or hung from any part of the human body or incorporated into any clothing worn by humans, such as headwear, handwear, or footwear;
- Radio equipment that enables the holder or user to transfer money, monetary value, or virtual currency.
Internet-connected equipment expressly not included under the expanded scope of cybersecurity requirements detailed in the draft Delegated Regulation include medical devices covered under the EU’s Medical Device Regulation (EU 2017/745) and the In Vitro Diagnostic Medical Device Regulation (EU 2017/746). Also excluded are internet-connected equipment and devices used in civil aviation applications (EU 2018/1139) and in automotive systems and components (EU 2019/2144).