Cybersecurity Compliance for the Radio Equipment Directive

Understanding the Radio Equipment Directive (RED)

The Radio Equipment Directive (RED) aims to establish a regulatory framework for the marketing and use of radio equipment within the European Union. Its primary objectives are to ensure the protection of human health and safety and to promote the efficient use of the radio spectrum. The directive includes essential requirements covering health and safety, electromagnetic compatibility (EMC), radio aspects, and specific aspects that include the cybersecurity requirements as well as access to emergency services. 

A new requirement for a common charger will be applicable from January 2025. This directive is crucial for manufacturers as it sets the standards for compliance, ensuring that all radio equipment marketed in the EU meets stringent safety and performance criteria. 

Notified Body involvement for RED compliance

Manufacturers can perform self-assessment for compliance with the Radio Equipment Directive (RED) under certain conditions. For the essential requirements under Articles 3.1(a) Health and Safety and 3.1(b) EMC, self-assessment by the manufacturer is allowed. However, for the radio and specific aspects under Articles 3.2 and 3.3 under its cybersecurity requirements, particularly Articles 3.3 D, E, and F, self-assessment is only permissible if the manufacturer fully applies a harmonized standard published in the Official Journal of the European Union. If no harmonized standard exists, or if the standard is not fully applied, the manufacturer must involve a Notified Body to obtain certification. Additionally, for the new common charger requirement (Article 3.4), self-assessment is generally sufficient, but manufacturers may voluntarily seek third-party validation from a Notified Body

Applicability of the RED Delegated Act (EU) 2022/30

The RED Delegated Act (EU) 2022/30 is a supplementary regulation that enhances the Radio Equipment Directive (RED) by introducing specific cybersecurity requirements for certain types of radio equipment. It aims to address emerging security threats and ensure that devices connected to the internet, processing personal data, or facilitating financial transactions meet stringent security standards.

This Delegated Act applies to various types of radio equipment, including internet-connected devices, devices processing personal data, and equipment enabling monetary transactions. Exemptions include medical devices and certain regulated sectors such as aviation and automotive. 
Manufacturers must evaluate the intended use of their devices to determine applicability. For instance, internet-connected devices like smartphones, tablets, and smart TVs fall under this act, as do wearables and childcare equipment that process personal data. The act also covers devices that facilitate financial

Testing and Assessment with EN 18031 Standard

The EN 18031 series standards have been developed to support the essential requirements of the RED Delegated Act. These standards cover security mechanisms, privacy, and financial aspects. Key requirements include access control, authentication, secure updates, secure storage, secure communication, resilience, network monitoring, and cryptographic key management. 

These standards are designed to address common cybersecurity threats, ensuring that radio equipment operates securely and does not pose risks to users or networks. The standards are technology-agnostic, allowing manufacturers to implement security measures that best fit their devices' intended use and risk profile. An in-depth analysis of these standards can be read in this article about EN 18031 cybersecurity standards.

Certification Process

The certification process involves a documentary review by a notified body. Manufacturers must provide comprehensive technical documentation, including test reports, user manuals, risk assessment, and declaration of conformity. The notified body evaluates the documentation and issues a EU-Type Examination Certificate, which can be positive, positive with restrictions, or negative. 

Manufacturers must retain technical documents for ten years and comply with any changes in the state-of-the-art. This process ensures that all radio equipment placed on the market meets the required standards, providing assurance to consumers and regulatory bodies. The involvement of a notified body adds an extra layer of scrutiny, ensuring that manufacturers adhere to the highest standards of safety and performance. 

Timeline and Future Developments

The RED Delegated Act will become mandatory on August 1, 2025. Manufacturers have only a few months to ensure compliance. Ongoing developments in standard harmonization are expected, and manufacturers should stay informed about any updates from the European Commission. 

The timeline highlights the urgency for manufacturers to start their compliance journey early, allowing sufficient time to address any potential issues and ensure their products meet the new requirements. Staying updated with the latest developments and guidance from regulatory bodies will be crucial in navigating the compliance landscape effectively. 

Conclusion

We encourage manufacturers to start their compliance journey early to ensure a smooth transition. By adhering to these standards, manufacturers can enhance the security and reliability of their radio equipment, ultimately benefiting consumers and contributing to a safer and more secure digital environment.
 

Download the full presentation

Watch the full video: