New EU security legislation under the Radio Equipment Directive (RED)

On the 12th January 2022, the European Commission updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market, to include additional legislation related to security (2022/30/EU)¹.

The Commission adopted a Delegated Act of the Radio Equipment Directive activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy. 

The update mandates cybersecurity, personal data and privacy protection for devices that can:

• 3.3d: communicate over the internet, either directly or via any other equipment
• 3.3e: process personal data, traffic data or location data
• 3.3f: enable users to transfer money, monetary value or virtual currency

These provisions become mandatory on the 1st August 2024 and manufacturers of radio connected devices must be compliant by that date or face potential action. 

The reason behind this is that more and more products are employing radio technology in their applications and many of these devices connect to the internet which could expose these products to increasing security threats and the potential to be attacked and exploited.

What is the Radio Equipment Directive (RED)?

The RED is one of many directives and regulations which are part of the New Legislative Framework (NLF), for placing radio products on the European market. It ensures a single market for radio equipment by setting essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulations by delegated acts adding additional legislation such as in this case for cybersecurity. 

Compliance with the RED is achieved by satisfying a number of “essential requirements”. The existing ones for Safety and Health, EMC and Radio are well known as the “original” essential requirements, and we have already seen an additional essential requirement under Article 3.3g for Access to Emergency Services becoming mandatory on 17th March 2022. However, the official journal citing of these delegated act for 3.3d,e,f now adds the additional essential requirements for cybersecurity  

It should be noted that some products are out of scope (for some articles) such as medical devices, aviation, motor vehicles and electronic road toll systems. 

The text of the additional essential requirements of RED

The text in the actual directive is quite brief as detailed below: 

• RED Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
• RED Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
• RED Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud;

This is high level text and thus does not contain enough detail to really help a device manufacturer, however, the European Commission will send out a “standards request” to the European Standards Organizations (ESO) asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission as well.  The standards request sets out the minimum requirements but the final standards may include further assessment criteria where appropriate and further guidance is also expected from the Commission as well. 

What do the “essential requirements” actualLY mean?

Article 3.3(d) – Cybersecurity
It covers radio equipment that can communicate through the Internet and radio equipment which can communicate over the Internet by way of another connected device.  In simplistic terms, the radio product must not, nor be able to be compromised therefore causing harm to the network.      

Article 3.3(e) – Privacy
This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data. 

Article 3.3(f)
It will protect users who wish to use radio products to process financial transaction and protect them from compromise and fraud.

How much time do manufacturers have to comply with RED? 

The Delegates Acts were cited in the Official Journal of the European community (OJEC) on 12th January 2022. The legislation is presently in force, and compliance with the essential requirements become mandatory beginning August 1, 2024.  

In order for the product to be compliant by August 2024, manufacturers should be considering the new requirements into product technical specifications as early as possible. 

Why should you choose TÜV SÜD for RED compliance? 

TÜV SÜD is helping companies comply with the Radio Equipment Directive as it offers testing and assessments based on existing standards such as ETSI EN 303 645 and additional considerations required for the directive’s essential requirements. TÜV SÜD have cybersecurity experts based all around the world and are also providing expertise to the development of the standards. 

LEARN MORE ABOUT THE NEW RED 3.3(D)(E)(F) REGULATION FOR CYBER SECURITY

Manufacturers have until 1st August 2024 to ensure their internet connected radio devices adhere to the new provisions. This time will go very quickly so manufacturers must act NOW! 

For further help in complying with the regulation, get in touch with our cybersecurity experts at cps@tuvsud.com

¹ https://eur-lex.europa.eu/eli/reg_del/2022/30/oj