Skip to main content
  • Service

UL Solutions Cybersecurity Advisory for RED Compliance

Learn more about Article 3.3 of the European Commission’s Radio Equipment Directive 2014/53/EU (RED) and address radio-specific device requirements ranging from common interfaces to cybersecurity.

Friends sharing information on smartphones

Overview of the Radio Equipment Directive (RED) 2014/53/EU

Key provisions of RED 

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. Article 3.3 of the directive includes device requirements related to specific categories of radio equipment ranging from common interfaces to cybersecurity.         

Timeline for compliance

On Jan. 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation requires cybersecurity, personal data privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It takes effect Feb. 1, 2022, and becomes mandatory Aug. 1, 2025, giving device manufacturers a 42-month transition period.   

Detailed analysis of RED Article 3.3 cybersecurity requirements

RED Article 3.3 Cybersecurity

RED Article 3.3 Cybersecurity shown on a chart

Network protection under Article 3.3(d)

Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting website or services’ functionality.

Personal data and privacy under Article 3.3(e)

Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.

Anti-fraud measures under Article 3.3(f)

Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as better user authentication control to minimize fraudulent electronic payments and monetary transfers.

Scope and impact of RED cybersecurity requirements

Devices covered by the new regulation

The new regulation covers devices that can communicate over the internet, whether directly or via other equipment. Radio equipment that may expose sensitive personal data is also in scope. For example:

  • Mobile phones, tablets and laptops
  • Wireless toys and children’s safety equipment, such as baby monitors
  • Wearable devices, such as smartwatches and fitness trackers

Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to article 4(1) and 4(2) of EU regulation 2016/679 and article 2(b) and (c) of directive 2002/58/EC).

Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article 2(d) of EU directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.

Exemptions and special considerations

Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation.

UL Solutions’ role in facilitating RED compliance

Pre-standardization support

In August 2022, the EC issued a standardization request to the European Standard Organization (ESO) CEN/CENELEC, which initiated the work on the harmonized standards. It is expected that three standards will be published by June 30, 2024, covering respectively Article 3.3(d), (e) and (f). UL Solutions reviewed the first draft of the proposed standard and submitted several comments to help improve the document.

The harmonized standards will support the essential requirements laid out in Article 3.3 and will contain technical specifications for radio equipment in scope. These specifications will cover topics such as network traffic monitoring, denial of service attacks mitigation, authentication and access control mechanisms, secure update mechanism, and attack surface reduction. Additionally, specifications will address data security and privacy, aiming at, for example, preventing the accidental or unauthorized storage, processing, access, disclosure, destruction or loss of data. Users will also have the ability to easily delete their personal data stored on a device before disposing of it to prevent the exposure of their information.

Why choose UL Solutions for RED cybersecurity compliance

Expertise in cybersecurity and compliance

The RED Delegated Act (RED DA) will impact any manufacturer producing radio equipment to be sold on the EU market. Manufacturers will be responsible for cybersecurity throughout the entire lifecycle of the device. While the harmonized standards are not yet published, preparation for compliance can begin now. UL Solutions can help you progress towards RED DA compliance with advisory services to highlight gaps and provide you with educational guidance to reach your objectives.

Comprehensive support from strategy to implementation

UL Solutions can support you regardless of your current development stage. For early-stage projects, we can help you to apply security-by-design and embed security in your governance and processes. To this end, we offer training and workshops led by our security experts to equip your team with the knowledge to successfully implement your products. For projects in a later development stage, we can assist you with a gap analysis or full compliance assessment to EN 303 645 and IEC 62443-4-2, which will help you increase the security posture of your products. These two standards have requirements that overlap with the requirements expected to be in the harmonized standards for RED DA and will greatly support your readiness for RED.

Compliance advisory and training services

RED DA and EU regulatory landscape workshop

This workshop provides an overview of the EU cybersecurity regulatory landscape, setting the stage for a deeper understanding of the RED DA for Article 3.3(d), (e) and (f) and its importance in enhancing the security and privacy of connected devices along with the future impacts of the Cyber Security Resilience Act.

Advisory services

We offer training services for customers at every step of their journey toward RED compliance.

  • Basic – Level 1: Initiation

    Basic advisory services are designed for manufacturers starting their journey into the RED DA and looking for an expert to help identify the major gaps toward future compliance.

  • Substantial – Level 2: Developing

    Substantial advisory services are designed for manufacturers that have already started working on their compliance with RED DA and have prior experience with cybersecurity certifications.

  • High – Level 3: Defined

    These services are designed for manufacturers that are well on track on their journey to compliance with RED DA and looking for an expert to evaluate their work.

Read our info sheet to explore our services or contact UL Solutions today to confirm your compliance with the RED cybersecurity requirements.

Download our resources
Cybersecurity

Cybersecurity Requirements in the Radio Equipment Directive

817.15 KB
FAQs

FAQs - Radio Equipment Directive (RED) Cybersecurity Requirements

437.85 KB
X

Get connected with our sales team

Thanks for your interest in UL's products and services. Let's collect some information so we can connect you with the right person.

Please wait…