05 Mar 2019 Upload of software on radio equipment
Eurosmart’s answer to the European Commission Public Consultation
Eurosmart, the voice of the digital security industry supports the political commitment in strengthening reliability of radio equipment placed on the Market. The growing number of internet-connected radio-equipment and more precisely IoT devices, constitute a challenge to ensure both safety and security of products placed on the market.
In terms of safety, it comes to the manufacturer, to take care of the conformity for the making available on the market of its radio equipment which may combine hardware and software. In this case, software is part of the final good. However third-party software can be uploaded on the device for the benefit of the final user such as the enabling of new features of its hardware.
On the one hand, potential misuse or modification of the behaviour of the device cannot be under the responsibility of the manufacturer whose product placed on the market has been modified did not. Indeed, this situation could lead to legal uncertainty for market players who will bear the full liability of a modified combination of software and radio-equipment.
On the other hand, it would be detrimental for the market to oblige the manufacturer to introduce features that restrict the uploading of third-party software, unless the manufacturer ensures the compliance of the combination of the radio equipment and software. This would shift the responsibility for safety, compliance, usability and maintenance of the software to the radio-equipment manufacturer.
Moreover, the Inception impact assessment for the Radio Equipment Directive related to Internet-connected radio equipment and wearable radio equipment, foresees a potential delegated act which will include requirements in terms of privacy, data protection, and prevention from fraud. Such requirements will include cybersecurity protection alongside traditional conformity against functional specifications (safety). Eurosmart fears that the radio-equipment manufacturer would carry the whole liability burden in terms of cybersecurity, should the radio-equipment be altered due to the upload of a non-secure software, or a misuse by the user.
Internet-connected radio equipment is not acting in a static environment, uploaded software may rely on external databases, algorithms, cloud servers, artificial intelligence etc. which are not under the control of the manufacturer. Breach of data, privacy concerns, vulnerabilities could be attributed to one or several actors of the software’s value chain which the manufacturer may not be responsible or aware of.
An alternate option could be the upload of party evaluated software on a standardise platform and require a third party evaluation for the product before and after the upload.
Eurosmart enjoins the TCAM and the European Commission to rely on the ongoing work of the Product liability expert group (E03592), to define clear liability for both device manufacturers and software developers and to consider a software as a good placed on the market as such. It is essential that prior envisaging a complementary approach through a potential delegated act for software upload for radio equipment, to wait until the upcoming conclusions of the Product Liability Expert Group.