In the last two blogs in the series, we covered a number of regulations relating to connected devices within the United States: the US Cyber Trust Mark and the PATCH Act. Now we turn our attention to Europe, and the work being done by the European Union (EU) to better protect its residents and their devices.

The need for digital resiliency
The European Commission (EC) defines radio equipment as “an electrical or electronic product intended to transmit and/or receive radio waves for the purpose of radiocommunication and/or radiolocation”. As such, the vast majority of Internet of Things (IoT) and other connected devices fall under this definition, as many of these leverage radio or wireless technology in some form.

There is a growing awareness in Europe that greater security is needed for these device types. In July 2022, cloud computing company Akamai detected and mitigated the largest Distributed Denial-of-Service (DDoS) attack levelled against a European business. Akami’s customer was targeted 75 times over the course of 30 days, as hackers attempted to access a database of customer IP addresses.

It was attacks like this that prompted the development of the EU’s Cyber Resilience Act (CRA), the goal of which is to improve security for internet-connected devices sold in Europe. First proposed in 2022, the Act received formal approval by the European Parliament in March 2024. Once formally adopted by the Council, the CRA can be enforced to better protect IoT and smart devices across the continent.

Critical requirements for manufacturers
This isn’t to say legislation isn’t already in place to protect European citizens. There is an EC directive already establishing a regulatory framework for radio equipment, with the goal of implementing key requirements for safety, health, electromagnetic compatibility and radio spectrum efficiency. Designated as ‘2014/53/EU’ in the Official Journal of the EU, the Radio Equipment Directive (RED) has ‘essential requirements’ for device manufacturers that must be fulfilled in order to remain compliant. These are set out in Article 3.

Three specific sub-articles relating to cybersecurity can be found in Article 3. Article 3.3(d) covers the requirements for network protection; for manufacturers, this means the implementation of features that avoid any harm to communication networks. It also means devices are prohibited from disrupting the functionality of websites and services they are linked to.

Article 3.3(e) focuses on the protection of personal data and privacy. This ensures measures to prevent unauthorized access or transmission of a user’s sensitive data are in-built into devices. Concerns over fraudulent electronic payments and monetary transfers are covered under Article 3.3(f), as manufacturers must include features that deliver enhanced authentication controls to the user.

Originally penciled in for 2024, the RED will become mandatory for all wireless devices and products sold in the EU from August 2025.

The devices under consideration
The scope of the directive is wide ranging, covering all devices sold in the EU which transmit and receive radio signals. Any 4G/LTE/5G cellular enabled – or Wi-Fi enabled – devices fall under the RED’s remit. It also extends to everything from radar equipment to radio, television, and GPS receivers.

The directive comes at a time where attacks against Europe’s connected devices grow in volume, variety and complexity. Within the last few years, the continent has seen hackers access everything from electric vehicle chargers and rail communication equipment, alongside GPS jamming and smart television hacks. As recently as April 2024, researchers found vulnerabilities in over 91,000 smart televisions that could lead hackers to gain root access to the devices.

Even consumer technologies such as smart watches and baby monitors are covered by the RED. This should come as no surprise: it was only in 2019 that the EU recalled a smart watch designed for children over concerns it could be easily hacked. The directive has been designed to ensure all these technologies are better protected once it becomes mandatory next year.

Protection in addition to the RED
TCG technologies can also ensure better protection for devices. For larger devices, the Trusted Platform Module (TPM) can be used to sign and verify that any data present originates from a trusted source. It provides mechanisms to protect, detect, attest and recover from an any attempts to modify code.

To guarantee the identity and integrity of components within a system, the Device Identifier Composition Engine (DICE) can also be utilized. DICE creates a unique secret for each boot layer of a system, which is derived from the previous layer’s secret and the current layer’s measurement. This means any exposed layer’s secrets and measurements will differ from the ones following it, securing data if the device is compromised, and preventing unauthorized disclosure. Any connected device utilizing DICE can also re-key and generate an individual ‘identity’ during each boot cycle, which can be used to derive other keys for various purposes.

Cyber Resilient Module and Building Block Requirements (CyRes) can reduce the likelihood of malware persistence, and also protect essential code and data. CyRes establishes three key security principles: the protection of updatable, persistent code and data, the detection of vulnerabilities or corruption, and the reliable recovery of systems. For connected devices, it enables key protection, detection, and recovery capabilities to identify and fix misconfigured or unpatched code and deploy reliable, trusted updates. This means in the event a device is compromised, it can return it to a previous, trusted state.

Adherence to the RED, alongside the use of a hardware Root-of-Trust (RoT), will empower device manufacturers to sell secure-by-design connected devices within Europe.