While Euralarm supports the need for increased cybersecurity, the fire and security industry will preferably support a horizontal cybersecurity regulation. Nevertheless, if embedded in the RED, Euralarm wants to ensure that the technical aspects addressing cybersecurity are relevant for wireless fire safety and security equipment and can work for manufacturers and service providers.
The idea is to include the cybersecurity requirements through a delegated act on Internet-connected and wearable radio equipment. Such an act is a legally binding act that enables the Commission to supplement or amend non‑essential parts of EU legislative acts, for example, to define detailed measures. Since the essential requirements of the delegated act have been triggered by cases involving toys and other consumer devices, Euralarm believes that the scope of the DA should be limited to the “consumer internet-connected devices”.
Article 3(3) (d) of the RED states that “Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service". The term network is not defined in the RED. Applying Art 3(3)(d) to internet-connected devices would create a deviating understanding of network: instead of radio communication network, it is enlarged to the "internet". According to Euralarm it is therefore sufficient to enforce Art 3(3)(e) and (f) to ensure that personal data and privacy of the user and subscriber are protected and that the equipment is protected from fraud. This will also reduce the risk of inconsistent and overlapping requirements.
As far as the definition of ‘internet-connected devices’ is concerned, Euralarm believes that a clear definition is crucial for the correct application of this delegated act and that therefore the concept of "directly or indirectly" shall be avoided. Since ‘internet’ is not used nor defined in RED, Euralarm also proposes to re-formulate this definition to cover radio equipment connected by using any internet protocol. This specifically covers those devices that could potentially present cybersecurity risks. The definition of a consumer internet-connected device that Euralarm proposes is “any radio equipment, falling within the scope of Directive 2014/53/EU, which is capable to be connected to internet by using any internet protocol and intended to be put into service by a consumer or any other end-user.”
As far as the date of application is concerned, Euralarm proposes a transition period of five years before the requirements of the delegated act become mandatory. This allows enough time for a harmonised standard to become available and cited and for manufacturers to finalise their product design and demonstrate the compliance.
The full text of the Euralarm Communiqué can be downloaded here.