Cybersecurity Requirements in the Radio Equipment Directive
The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. The directive includes Article 3.3 as a placeholder to address device requirements related to radio-specific issues ranging from common interfaces to cybersecurity.
On Jan. 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation increases cybersecurity, personal data privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It takes effect Feb. 1, 2022, and becomes mandatory Aug. 1, 2024, giving device manufacturers a 30-month transition period.
RED Article 3.3 Cybersecurity
- Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting website or services’ functionality.
- Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.
- Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as better user authentication control to minimize fraudulent electronic payments and monetary transfers
Scope of the new regulation
The new regulation covers internet-connected devices that can communicate over the internet, whether directly or via other equipment. Examples:
- Mobile phones, tablets and laptops
- Wireless toys and children’s safety equipment such as baby monitors
- Wearable devices such as smartwatches and fitness trackers
Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to article 4(1) and 4(2) of EU regulation 2016/679 and article 2(b) and (c) of directive 2002/58/EC).
Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article 2(d) of EU directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.
Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation.
Harmonized standards in development
Currently, no harmonized standards cover the scope of the RED Article 3.3 regulation. While the EU has yet to task the European Standards Organizations (ESOs) with creating such standards, the ESOs and EU Commission reportedly plan to have harmonized standards in place about 10 months before the act requirements become mandatory.
What you can do now
Based on workshops and presentations from the ESOs and commission, the harmonized standards will likely be based on existing IoT cybersecurity standards EN 303 645 and IEC 62443-4-2. It’s not too early to look at how these standards may impact your internet-connected product’s design. You may also consider testing products you know will be shipping to Europe in 2024 to these standards or obtaining a third-party certification that aligns with EN 303 645.