New EU security legislation under the Radio Equipment Directive (RED)

To increase the level of cybersecurity, personal data protection and privacy

To increase the level of cybersecurity, personal data protection and privacy

On the 12th January 2022, the European Commission updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market, to include additional legislation related to security (2022/30/EU)1.

The Commission adopted a Delegated Act of the Radio Equipment Directive activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy. 

The update mandates cybersecurity, personal data and privacy protection for devices that can:

  • 3.3d: communicate over the internet, either directly or via any other equipment
  • 3.3e: process personal data, traffic data or location data
  • 3.3f: enable users to transfer money, monetary value or virtual currency

These provisions become mandatory on the 1st August 2024 and manufacturers of radio connected devices must be compliant by that date or face potential action. 

The reason behind this is that more and more products are employing radio technology in their applications and many of these devices connect to the internet which could expose these products to increasing security threats and the potential to be attacked and exploited.


What is the Radio Equipment Directive (RED)?

radio equipment cybersecurityThe RED is one of many directives and regulations which are part of the New Legislative Framework (NLF), for placing radio products on the European market. It ensures a single market for radio equipment by setting essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulations by delegated acts adding additional legislation such as in this case for cybersecurity. 

Compliance with the RED is achieved by satisfying a number of “essential requirements”. The existing ones for Safety and Health, EMC and Radio are well known as the “original” essential requirements, and we have already seen an additional essential requirement under Article 3.3g for Access to Emergency Services becoming mandatory on 17th March 2022. However, the official journal citing of these delegated act for 3.3d,e,f now adds the additional essential requirements for cybersecurity  

It should be noted that some products are out of scope (for some articles) such as medical devices, aviation, motor vehicles and electronic road toll systems. 

 


The text of the additional essential requirements of RED

The text in the actual directive is quite brief as detailed below: 

  • RED Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
  • RED Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
  • RED Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud;

This is high level text and thus does not contain enough detail to really help a device manufacturer, however, the European Commission will send out a “standards request” to the European Standards Organizations (ESO) asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission as well.  The standards request sets out the minimum requirements but the final standards may include further assessment criteria where appropriate and further guidance is also expected from the Commission as well. 


What do the “essential requirements” actualLY mean?

Article 3.3(d) – Cybersecurity
It covers radio equipment that can communicate through the Internet and radio equipment which can communicate over the Internet by way of another connected device.  In simplistic terms, the radio product must not, nor be able to be compromised therefore causing harm to the network.      

Article 3.3(e) – Privacy
This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data. 

Article 3.3(f)
It will protect users who wish to use radio products to process financial transaction and protect them from compromise and fraud.


How much time do manufacturers have to comply with RED? 

The Delegates Acts were cited in the Official Journal of the European community (OJEC) on 12th January 2022. The legislation is presently in force, and compliance with the essential requirements become mandatory beginning August 1, 2024.  

In order for the product to be compliant by August 2024, manufacturers should be considering the new requirements into product technical specifications as early as possible. 

 

Why should you choose TÜV SÜD for RED compliance? 

TÜV SÜD is helping companies comply with the Radio Equipment Directive as it offers testing and assessments based on existing standards such as ETSI EN 303 645 and additional considerations required for the directive’s essential requirements. TÜV SÜD have cybersecurity experts based all around the world and are also providing expertise to the development of the standards. 

 

LEARN MORE ABOUT THE NEW RED 3.3(D)(E)(F) REGULATION FOR CYBER SECURITY

Manufacturers have until 1st August 2024 to ensure their internet connected radio devices adhere to the new provisions. This time will go very quickly so manufacturers must act NOW! 

For further help in complying with the regulation, get in touch with our cybersecurity experts at [email protected]


 

https://eur-lex.europa.eu/eli/reg_del/2022/30/oj

Explore

Internet of Things (IoT) for a connected world
White paper

사물 인터넷 (IoT) 사이버 보안 위협 및 규정

IoT 사이버 보안에 대한 위협요인과 규정, 소비자 사물 인터넷(CIoT) 장치의 안전성 및 보안성을 위한 TÜV SÜD 서비스를 확인하세요.

더 알아보기

Infographics

TÜV SÜD 소비자 IOT 사이버 보안(CSC) 인증

TÜV SÜD는 IoT 디바이스 제조업자가 가장 관련성 높은 국제 표준에 기반한 시험 및 인증 서비스를 제공하여 제조업체가 보안성 높은 제품을 개발할 수 있도록 지원하고 있습니다.

자세히 알아보기

Stories

소비자 사물인터넷(CIoT)을 위한 ETSI EN 303 645 사이버보안 표준

TÜV SÜD 전문가들은 ETSI EN 303 645 시험을 통해 특정 시장에 대한 사이버 사기 및 데이터 보안규정을 정확하게 파악하고 있으며 사이버 위협 분야에 대한 심도 깊은 이해를 바탕으로 전세계 고객들이 디지털 미래의 잠재력을 완전히 구현할 수 있도록 지원합니다.

자세히 알아보기

irobot
Stories

iRobot IoT 사이버보안 구현 사례

TÜV SÜD는 iRobot 제품의 ETSI 303 645 IoT 사이버 보안 표준을 준수했음을 확인했습니다.

자세히 알아보기

다음

Site Selector