COMMISSION DELEGATED REGULATION (EU) 2022/30
of 29 October 2021
supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (1), and in particular Article 3(3), the second subparagraph, in conjunction with Article 3(3), first subparagraph, points (d), (e) and (f), thereof,
Whereas:
(1) Protection of the network or its functioning from harm, protection of personal data and privacy of the user and of the subscriber and protection from fraud are elements that support protection against cybersecurity risks.
(2) As stated in recital 13 of Directive 2014/53/EU, the protection of personal data and privacy of users and of subscribers of radio equipment and the protection from fraud may be enhanced by particular features of radio equipment. According to that recital, radio equipment should therefore in appropriate cases be designed in such a way that it supports those features.
(3) 5G will play a key role in the development of the Union digital economy and society in the years to come and will potentially affect almost every aspect of Union citizens’ lives. The document with title ‘Cybersecurity of 5G networks EU Toolbox of risk mitigating measures’ (2) identifies a possible common set of measures which are able to mitigate the main cybersecurity risks of 5G networks and provides guidance for the selection of measures which should be prioritised in mitigation plans at national and at Union level. In addition to those measures, it is very important to follow a harmonised approach to essential requirements relating to elements of cybersecurity protection applicable to 5G radio equipment when it is placed on the Union market.
(4) The level of security applicable under Union essential requirements set out in Article 3(3)(d), (e) and (f) to ensure network protection, safeguards for the protection of personal data and privacy and protection from fraud shall not undermine the high level of security requested at national level for decentralised smart grids in the field of energy where smart meters subject to those requirements are to be used, and for 5G network equipment used by providers of public electronic communications networks and publicly available electronic communications services within the meaning of in Directive (EU) 2018/1972 of the European Parliament and of the Council (3).
(5) Numerous concerns have also been expressed in relation to increasing cybersecurity risks as a result of the increased use by professionals and consumers, including children, of radio equipment which: (i) is capable itself to communicate over the internet, regardless if it communicates directly or via any other equipment (‘internet-connected radio equipment’), i.e., such internet-connected equipment operates protocols necessary to exchange data with the internet either directly or by means of an intermediate equipment; (ii) can be either a toy with radio function which also falls within the scope of Directive 2009/48/EC of the European Parliament and of the Council (4) or is designed or intended exclusively for childcare, such as child monitors; or (iii) is designed or intended, whether exclusively or not exclusively, to be worn on, strapped to, or hung from any part of the human body (including the head, neck, trunk, arms, hands, legs and feet) or any clothing (including headwear, hand wear and footwear) worn by human beings such as radio equipment in the form of wrist watch, ring, wristband, headset, earphone or glasses (‘wearable radio equipment’).
(6) In this respect, any radio equipment for childcare, radio equipment covered by Directive 2009/48/EC or wearable radio equipment, which is capable itself to communicate over the internet, regardless if it communicates directly or via any other equipment, should be deemed to be internet-connected radio equipment. Implants, for example, should not be considered as wearable radio equipment as they are not worn on, strapped to, or hung from any part of the human body or any clothing. However, implants should be deemed to be internet-connected radio equipment, if they are capable themselves to communicate over the internet, regardless if they communicate directly or via any other equipment.
(7) Given the concerns raised due to the fact that radio equipment does not ensure protection against elements of cybersecurity risks, it is necessary to render applicable, for radio equipment within certain categories or classes, the essential requirements of Directive 2014/53/EU associated with the protection from harm to the network, protection of personal data and privacy of users and of subscribers and protection from fraud.
(8) Directive 2014/53/EU applies to products that meet the definition of ‘radio equipment’ in Article 2 of that Directive, subject to specific exclusions specified in Article 1(2) and Article 1(3) of that Directive. Whilst the definition of radio equipment in Article 2 of Directive 2014/53/EU refers to equipment that can communicate with radio waves, no requirements of Directive 2014/53/EU make a distinction between the radio and non-radio functions of the radio equipment and therefore all aspects and parts of the equipment should comply with the essential requirements provided for in this delegated regulation.
(9) As regards harm to the network or its functioning or misuse of network resources, unacceptable degradation of services can be caused by internet-connected radio equipment which do not ensure that networks are not harmed or are not misused. For example, an attacker may maliciously flood the internet network to prevent legitimate network traffic, disrupt the connections between two radio products, thus preventing access to a service, prevent a particular person from accessing a service, disrupt a service to a specific system or person or disrupt information. The degradation of online services can thus result in malicious cyber-attacks, which will lead to increased costs, inconveniences or risks for operators, service providers or users. Article 3(3), point (d), of Directive 2014/53/EU, which requires that radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service, should therefore apply to internet-connected radio equipment.
(10) Concerns have also been raised as regards the protection of personal data and privacy of the user and of the subscriber of internet-connected radio equipment due to the ability of that radio equipment to record, store and share information, interact with the user, including children, when speakers, microphones and other sensors are integrated in that radio equipment. Those concerns relate, in particular to the ability of that radio equipment to record photos, videos, localisation data, data linked to the play experience as well as heartrate, sleeping habits or other personal data. For instance, advanced settings of the radio equipment can be accessed through a default password if the connection or the data are not encrypted or if a strong authentication mechanism is not in place.
(11) It is thus important that internet-connected radio equipment, which is placed on the Union market, incorporate safeguards to ensure that personal data and privacy are protected when they are capable of processing personal data as defined in Article 4(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (5) or data defined in Article 2, points (b) and (c), of Directive 2002/58/EC of the European Parliament and of the Council (6). Article 3(3), point (e), of Directive 2014/53/EU should therefore apply to internet-connected radio equipment.
(12) Additionally, as regards the protection of personal data and privacy, radio equipment for childcare, radio equipment covered by Directive 2009/48/EC and wearable radio equipment pose security risks even in the absence of an internet connection. Personal data can be intercepted when that radio equipment emit or receive radio waves and lack safeguards that ensure personal data and privacy protection. The radio equipment for childcare, the radio equipment covered by Directive 2009/48/EC and the wearable radio equipment can monitor and register a number of the user’s sensitive (personal) data over time and retransmit them through communication technologies that might be insecure. The radio equipment for childcare, the radio equipment covered by Directive 2009/48/EC and the wearable radio equipment should also ensure protection of personal data and privacy, when they are capable of processing, within the meaning of Article 4(2) of Regulation (EU) 2016/679, of personal data, as defined in Article 4(1) of Regulation (EU) 2016/679, or traffic data and location data, as defined in Article 2, points (b) and (c), of Directive 2002/58/EC. Article 3(3), point (e), of Directive 2014/53/EU should therefore apply to that radio equipment.
(13) As regards fraud, information including personal data can be stolen from internet-connected radio equipment, which do not ensure protection from fraud. Specific kinds of frauds concern internet-connected radio equipment when they are used to perform payments over the internet. The costs can be high and do not only concern the person who suffered the fraud, but also society as a whole (for example, the cost of police investigation, the costs of victim services, the costs of trials to establish responsibilities). It is therefore necessary to ensure trustworthy transactions and minimise the risk of incurring financial loss of the users of internet-connected radio equipment executing the payment via that radio equipment and of the recipient of the payment carried out via that radio equipment.
(14) Internet-connected radio equipment placed on the Union market should support features for ensuring protection from fraud when they enable the holder or user to transfer money, monetary value or virtual currency as defined in Article 2, point (d), of Directive (EU) 2019/713 of the European Parliament and of the Council (7). Article 3(3), point (f), of Directive 2014/53/EU should therefore apply to that radio equipment.
(15) Regulation (EU) 2017/745 of the European Parliament and of the Council (8) lays down rules on medical devices and Regulation (EU) 2017/746 of the European Parliament and of the Council (9) lays down rules on in vitro diagnostic medical devices. Both Regulations (EU) 2017/745 and (EU) 2017/746 address certain elements of cybersecurity risks associated with the risks addressed by Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU. Radio equipment to which either of those Regulations apply should therefore not fall within the categories or classes of radio equipment which should comply with the essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU.
(16) Regulation (EU) 2019/2144 of the European Parliament and of the Council (10) establishes requirements for the type-approval of vehicles, and of their systems and components. In addition, the principal objective of Regulation (EU) 2018/1139 of the European Parliament and of the Council (11) is to establish and maintain a high uniform level of civil aviation safety in the Union. Moreover, Directive (EU) 2019/520 of the European Parliament and of the Council (12) lays down the conditions for the interoperability of electronic road toll systems and for facilitating cross-border exchange of information on the failure to pay road fees in the Union. Regulations (EU) 2019/2144 and (EU) 2018/1139 and Directive (EU) 2019/520 address elements of cybersecurity risks associated with the risks set out in Article 3(3), points (e) and (f), of Directive 2014/53/EU. Radio equipment to which Regulations (EU) 2019/2144 and (EU) 2018/1139 or Directive (EU) 2019/520 apply should therefore not fall within the categories or classes of radio equipment which should comply with the essential requirements set out in Article 3(3), points (e) and (f), of Directive 2014/53/EU.
(17) Article 3 of Directive 2014/53/EU provides for essential requirements with which economic operators shall comply. In order to facilitate conformity assessment with those requirements, it provides for a presumption of conformity for radio equipment that complies with voluntary harmonised standards that are adopted in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council (13) for the purpose of expressing detailed technical specifications of those requirements. The specifications will consider and address the level of risks that correspond to the intended use of each category or class of radio equipment concerned by this Regulation.
(18) Economic operators should be provided with a sufficient time to adapt to the requirements of this Regulation. The application of this Regulation should therefore be deferred. This Regulation is not to prevent economic operators from complying with it from the date of its entry into force.
(19) The Commission has carried out appropriate consultations during the preparatory work of the measures set out in this Regulation and has consulted the Expert Group on Radio Equipment,
HAS ADOPTED THIS REGULATION:
Article 1
1. The essential requirement set out in Article 3(3), point (d), of Directive 2014/53/EU shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (‘internet-connected radio equipment’).
2. The essential requirement set out in Article 3(3), point (e), of Directive 2014/53/EU shall apply to any of the following radio equipment, if that radio equipment is capable of processing, within the meaning of Article 4(2) of Regulation (EU) 2016/679, personal data, as defined in Article 4(1) of Regulation (EU) 2016/679, or traffic data and location data, as defined in Article 2, points (b) and (c), of Directive 2002/58/EC:
(a) internet-connected radio equipment, other than the equipment referred to in points (b), (c) or (d);
(b) radio equipment designed or intended exclusively for childcare;
(c) radio equipment covered by Directive 2009/48/EC;
(d) radio equipment designed or intended, whether exclusively or not exclusively, to be worn on, strapped to, or hung from any of the following:
(i) any part of the human body, including the head, neck, trunk, arms, hands, legs and feet;
(ii) any clothing, including headwear, hand wear and footwear, which is worn by human beings.
3. The essential requirement set out in Article 3(3), point (f), of Directive 2014/53/EU shall apply to any internet-connected radio equipment, if that equipment enables the holder or user to transfer money, monetary value or virtual currency as defined in Article 2, point (d), of Directive (EU) 2019/713.
Article 2
1. By way of derogation from Article 1, the essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU shall not apply to radio equipment to which either of the following Union legislation also applies:
(a) Regulation (EU) 2017/745;
(b) Regulation (EU) 2017/746.
2. By way of derogation from Article 1(2) and Article 1(3), the essential requirements set out in Article 3(3), points (e) and (f), of Directive 2014/53/EU shall not apply to radio equipment to which any of the following Union legislation also applies:
(a) Regulation (EU) 2018/1139;
(b) Regulation (EU) 2019/2144;
(c) Directive (EU) 2019/520.
Article 3
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
It shall apply from 1 August 2024.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 29 October 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 153, 22.5.2014, p. 62
.
(2) Cybersecurity of 5G networks – EU Toolbox of risk mitigating measures, 29 January 2020. https://ec.europa.eu/digital-singlemarket/en/nis-cooperation-group
(3) Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (
OJ L 321, 17.12.2018, p. 36
).
(4) Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (
OJ L 170, 30.6.2009, p. 1
).
(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(6) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (
OJ L 201, 31.7.2002, p. 37
).
(7) Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA (
OJ L 123, 10.5.2019, p. 18
).
(8) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (
OJ L 117, 5.5.2017, p. 1
).
(9) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (
OJ L 117, 5.5.2017, p. 176
).
(10) Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (
OJ L 325, 16.12.2019, p. 1
).
(11) Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (
OJ L 212, 22.8.2018, p. 1
).
(12) Directive (EU) 2019/520 of the European Parliament and of the Council of 19 March 2019 on the interoperability of electronic road toll systems and facilitating cross-border exchange of information on the failure to pay road fees in the Union (
OJ L 91, 29.3.2019, p. 45
).
(13) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (
OJ L 316, 14.11.2012, p. 12
).
Feedback