EU Cyber Regulations Compared
Author(s): Joseph Ball
Peer Reviewers: Katherine Allen, Jared Bloch, Devon Sparks
Last Reviewed: August 2024
Making sense of Trimble’s responsibility in conforming to specific EU cybersecurity and privacy regulations can be a challenge. Understanding how these various regulations relate to each other, and where their scopes overlap, can seem near-impossible. With the right visual aids and the point of view, however, it can be done.
One way to frame how EU cyber regulations relate to each other is to think about how they apply to the generation, transmission, and storage of data between field devices and cloud services. Some regulations, like the EU Radio Equipment Directive (“RED”), determine how Trimble secures device network connections and constraints what radio technologies we use in our products. Other regulations, like the EU Data Act, take a broader scope, applying to the (meta)data we extract from our connected products, how that data is used, and how we make it available to customers. Thinking of this as a data flow - from field device to backend cloud infrastructure - helps to put each regulation in perspective.
Radio Equipment Directive 3.3 D, E, F (“RED”) - 2025
Compliance with RED is required to sell devices within the EU. This is focused on hardware with IoT connectivity through a simple addition to existing rules. This is to ensure the final product cannot easily cause harm to the networks it connects to or creates. Trimble devices sold in the EU will need to be checked on and signed off by an approved compliance company where deemed applicable to the law. The Cyber Resilience Act will replace the RED D, E, F clauses in 2027.
Cyber Resilience Act (“CRA”) - 2027
Compliance with CRA will be required to sell devices within the EU. This is the next evolution of RED, replacing clauses D, E, F as it applies security standards and requirements on products with “digital elements”. All Trimble products that EU customers interact with will need to comply with CRA. In some instances Trimble may self-attest compliance with the CRA regulations; in others a third party assessment/certificate will need to be acquired. CRA’s regulations and standards are still being developed.
General Data Protection Regulation (“GDPR”) - 2018
GDPR regulates how we look after the personally identifiable information (“PII”) and data being passed around the systems. PII such as email addresses for user accounts, phone numbers, and addresses are all good examples of data Trimble may have access to and must manage responsibly. Trimble must be able to produce or delete this data if requested by an EU Customer. GDPR includes guidelines with legal penalties for non-compliance. This is focused on allowing customers to view, understand and delete the data we process about them.
EU Data Act - 2025
The EU Data Act focuses on the (meta)data we pull from our products, how that data is used, and how we make it available to customers. Collected data is likely be collated in larger data stores in the cloud. These stores need to properly track the customer, or be able to accurately attribute data to the customer. The EU Data Act includes guidelines with legal penalties for missing the targets. This is focused on allowing customers the right to view, understand, and delete the (meta)data we have from their use of a Trimble connected product.
To learn more about Trimble’s position on a specific EU cyber regulation, see: