To increase the level of cybersecurity, personal data protection and privacy
To increase the level of cybersecurity, personal data protection and privacy
On the 12th January 2022, the European Commission updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market, to include additional legislation related to security (2022/30/EU)1.
The Commission adopted a Delegated Act of the Radio Equipment Directive activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy.
The update mandates cybersecurity, personal data and privacy protection for devices that can:
These provisions become mandatory on the 1st August 2024 and manufacturers of radio connected devices must be compliant by that date or face potential action.
The reason behind this is that more and more products are employing radio technology in their applications and many of these devices connect to the internet which could expose these products to increasing security threats and the potential to be attacked and exploited.
What is the Radio Equipment Directive (RED)?
The RED is one of many directives and regulations which are part of the New Legislative Framework (NLF), for placing radio products on the European market. It ensures a single market for radio equipment by setting essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulations by delegated acts adding additional legislation such as in this case for cybersecurity.
Compliance with the RED is achieved by satisfying a number of “essential requirements”. The existing ones for Safety and Health, EMC and Radio are well known as the “original” essential requirements, and we have already seen an additional essential requirement under Article 3.3g for Access to Emergency Services becoming mandatory on 17th March 2022. However, the official journal citing of these delegated act for 3.3d,e,f now adds the additional essential requirements for cybersecurity
It should be noted that some products are out of scope (for some articles) such as medical devices, aviation, motor vehicles and electronic road toll systems.
The text in the actual directive is quite brief as detailed below:
This is high level text and thus does not contain enough detail to really help a device manufacturer, however, the European Commission will send out a “standards request” to the European Standards Organizations (ESO) asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission as well. The standards request sets out the minimum requirements but the final standards may include further assessment criteria where appropriate and further guidance is also expected from the Commission as well.
What do the “essential requirements” actualLY mean?
Article 3.3(d) – Cybersecurity
It covers radio equipment that can communicate through the Internet and radio equipment which can communicate over the Internet by way of another connected device. In simplistic terms, the radio product must not, nor be able to be compromised therefore causing harm to the network.
Article 3.3(e) – Privacy
This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data.
Article 3.3(f)
It will protect users who wish to use radio products to process financial transaction and protect them from compromise and fraud.
How much time do manufacturers have to comply with RED?
The Delegates Acts were cited in the Official Journal of the European community (OJEC) on 12th January 2022. The legislation is presently in force, and compliance with the essential requirements become mandatory beginning August 1, 2024.
In order for the product to be compliant by August 2024, manufacturers should be considering the new requirements into product technical specifications as early as possible.
TÜV SÜD is helping companies comply with the Radio Equipment Directive as it offers testing and assessments based on existing standards such as ETSI EN 303 645 and additional considerations required for the directive’s essential requirements. TÜV SÜD have cybersecurity experts based all around the world and are also providing expertise to the development of the standards.
Manufacturers have until 1st August 2024 to ensure their internet connected radio devices adhere to the new provisions. This time will go very quickly so manufacturers must act NOW!
For further help in complying with the regulation, get in touch with our cybersecurity experts at [email protected]
Learn about IoT cyber security threats and regulations and how TÜV SÜD can support in ensuring safe and secure Consumer Internet of Things (CIoT) devices
Learn More
Helps IoT device manufacturers develop products based on international cybersecurity standards
Learn More
Find out what the ETSI EN 303 645 standard is and why it’s important for consumer IoT products and devices.
Learn More
Learn about how TÜV SÜD ensure that iRobot’s product complied with the IoT cybersecurity standard ETSI EN 303 645
Learn More
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa