New Cybersecurity Requirements: Radio Equipment Directive

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. Article 3.3 of the directive includes device requirements related to specific categories of radio equipment ranging from common interfaces to cybersecurity.

On Jan. 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation requires cybersecurity, personal data privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It takes effect Feb. 1, 2022, and becomes mandatory Aug. 1, 2024, giving device manufacturers a 30-month transition period.

RED Article 3.3 Cybersecurity

• Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting website or services’ functionality. 
• Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.
• Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as better user authentication control to minimize fraudulent electronic payments and monetary transfers.

Scope of the new regulation

The new regulation covers devices that can communicate over the internet, whether directly or via other equipment. Radio equipment that may expose sensitive personal data is also in scope. For example:

• Mobile phones, tablets and laptops
• Wireless toys and children’s safety equipment, such as baby monitors
• Wearable devices, such as smartwatches and fitness trackers

Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to article 4(1) and 4(2) of EU regulation 2016/679 and article 2(b) and (c) of directive 2002/58/EC).

Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article 2(d) of EU directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.

Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation.

Harmonized standards in development

In August 2022, the EC issued a standardization request to the European Standard Organization (ESO) CEN/CENELEC, which initiated the work on the harmonized standards. It is expected that three standards will be published by December 2023, covering respectively Article 3.3(d), (e) and (f). UL Solutions reviewed the first draft of the proposed standard and submitted several comments to help improve the document. 

The harmonized standards will support the essential requirements laid out in Article 3.3 and will contain technical specifications for radio equipment in scope. These specifications will cover topics such as network traffic monitoring, denial of service attacks mitigation, authentication and access control mechanisms, secure update mechanism, and attack surface reduction. Additionally, specifications will address data security and privacy, aiming at, for example, preventing the accidental or unauthorized storage, processing, access, disclosure, destruction or loss of data. Users will also have the ability of easily delete their personal data stored on a device before disposing it to prevent the exposure of their information. 

How UL Solutions can help you

The RED Delegated Act (RED DA) will impact any manufacturer producing radio equipment to be sold on the EU market. Manufacturers will be responsible for cybersecurity throughout the entire lifecycle of the device. While the harmonized standards are not yet published, preparation for compliance can begin now. UL Solutions can help you progress towards RED DA compliance with advisory services to highlight gaps and provide you with educational guidance to reach your objectives. Together, we can increase your cybersecurity resiliency aligned with the cybersecurity regulation landscape. 

UL Solutions can support you regardless of your current development stage. For early-stage projects, we can help you to apply security-by-design and embed security in your governance and processes. To this end, we offer training and workshops led by our security experts to equip your team with the knowledge to successfully implement your products. For projects in a later development stage, we can assist you with a gap analysis or full compliance assessment to EN 303 645 and IEC 62443-4-2, which will help you increase the security posture of your products. These two standards have requirements that overlap with the requirements expected to be in the harmonized standards for RED DA and will greatly support your readiness for RED. 
 
Contact us to learn how we can help you prepare for compliance today.