Cybersecurity Requirement for Radio Equipment Directive (RED)

The RED Directive has revised its scope to include cybersecurity related concerns to radio interfaces which become mandatory in August, 2024. Our cybersecurity experts incorporate radio equipment to ensure data safeguards, fraud protection, and misuse of network function.

With the emergence of Wi-Fi, Bluetooth and NFC, more products are interconnected and behaving like radio equipment. Consequently, the radio spectrum and its efficient use has become a bigger part of day-to-day life. This has changed the design of many products from vacuum cleaners and cooking appliances to the phones we carry every day.

Concern for cybersecurity of these devices has now caused the Radio Equipment Directive (RED) to revise their scope, including Article 3.3, which addresses security of radio interfaces. The change takes effect February 1, 2022. It becomes mandatory August 1, 2024 for all new and existing products which must comply in order to achieve CE marking.

There are 3 distinctive sections of Article 3.3 specific to cybersecurity:

• (d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
• (e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
• (f) radio equipment supports certain features ensuring protection from fraud;

 

Industries:

The impact will be on all manufacturers who devices are declaring to the Radio Equipment Directive.
The RED cybersecurity requirements apply to:

• Internet-connected radio equipment, whether the equipment connects directly via the internet or via any other equipment
• Radio equipment for childcare, toys, and wearable equipment, even in the absence of a connection to the internet.

The RED cybersecurity requirements are not in scope for smart meters, 5G network equipment, medical devices, as well as vehicles and their systems and components.

 

Are there harmonized standards?

To date there are no harmonized standards. However EU Commission has indicated that standards maybe released 10 months prior to effective date (August 1, 2024). It is likely that the harmonized standard will be based on existing standards such as ETSI EN 303 645 and IEC 62443.

What do manufacturers need to do?

Manufacturers may consider testing products to existing standards such as EN 303 645 (Consumer Products) or IEC 62443 (Industrial). As the likely basis for future harmonized standards, aligning and testing products sold in the EU market to these standards will help ensure preparedness for the future harmonized standards and the August 2024 deadline.
Also the manufacturers who are declaring to the Medical Device Regulation will need to follow the requirements of MDR Annex 1 Essential Requirements for cybersecurity.

How Intertek Can Help

As a Notified Body in the EU to the Radio Equipment Directive (RED) and Competent Body in the U.S., we can test to all of the RED parameters, including the 3 new cybersecurity additions, to determine if your product is in compliance with the Directive and suitable for CE Marking.