Stricter Security Requirements for Connected Devices Set to Take Effect in August 2025

Tue 4th Feb, 2025

New regulations aimed at enhancing IT security and data protection for connected devices in the European Economic Area (EEA) will come into force on August 1, 2025. These regulations will apply to devices such as smartphones, wearables, and various IoT products that utilize wireless connectivity, including Bluetooth and Wi-Fi.

From this date, devices covered under these regulations must display a CE marking, indicating compliance with essential requirements for network protection, privacy, and fraud prevention. Failure to comply will result in a prohibition on sales within the EEA.

The new requirements stem from a delegated regulation linked to the EU's Radio Equipment Directive (RED), which seeks to mitigate data breaches associated with wireless connected devices. Initially, these regulations were scheduled to take effect on August 1, 2024, but the European Commission postponed the implementation to allow standardization bodies such as CEN and Cenelec additional time to finalize the necessary norms.

Recently, the standardization process was completed, and the harmonized standards EN 18031-1/-2/-3 were published in the EU's official journal. This publication confirms that the delayed start date will be upheld, and the implementation period is now in effect. These standards clarify the binding regulations and establish testing criteria to simplify the process for manufacturers, particularly smaller companies, to comply with the new requirements.

The newly established norms address crucial aspects, such as securing confidential communications and ensuring the presence of an update mechanism. However, there are limitations regarding certain compliance presumption aspects, especially concerning the mandatory implementation of user passwords and parental controls for toys. Additionally, devices facilitating financial transactions are excluded from these regulations.

The Federal Office for Information Security (BSI) in Germany contributed to the development of these norms, emphasizing that manufacturers can independently test their products against transparent requirements and testing criteria. Subsequently, the market surveillance authority responsible for enforcing the Radio Equipment Directive in Germany, the Federal Network Agency, will only need to verify compliance with these standards. Without these norms, proving compliance would have required assessment by a notified testing body.

According to the European Court of Justice (ECJ), harmonized norms effectively hold the weight of law. Consequently, expectations for such specifications have heightened. Wireless devices must be constructed in a manner that prevents them from having detrimental effects on networks or their operations, or from facilitating the misuse of network resources, which could unduly disrupt services. Features aimed at fraud protection, such as multi-factor authentication, must also be implementable.

Looking ahead, the European Commission is preparing further regulations under the recently enacted Cyber Resilience Act (CRA), which will impose additional requirements on device manufacturers. Starting in December 2027, products featuring digital elements, including software, will only be permitted in the EU market if they comply with enhanced minimum IT security standards. This includes a requirement for manufacturers to provide security updates for a minimum of five years and to take full responsibility for the IT security of their products throughout their lifecycle, adhering to the principle of 'Security by Design.'

Moreover, the European Commission has proposed plans to hold e-commerce platforms like Amazon and Alibaba accountable for the online sale of dangerous or illegal products, as reported by the Financial Times. The proposed customs reform would require digital marketplace operators to provide comprehensive data before products enter the EU, enabling authorities to better control and inspect packages.

Additionally, the Commission aims to eliminate the customs exemption for shipments valued under 150 euros, intending to address the influx of packages, particularly from China, that may contain unsafe products or counterfeits. Similar measures are outlined in a federal e-commerce action plan in Germany.


More Quick Read Articles »