
Cybersecurity Requirements in the Radio Equipment Directive
Learn more about Article 3.3 of the European Commission’s Radio Equipment Directive 2014/53/EU (RED) and address radio-specific device requirements ranging from common interfaces to cybersecurity.
The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. The directive includes Article 3.3 as a placeholder to address device requirements related to radio-specific issues ranging from common interfaces to cybersecurity.
On Jan. 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation increases cybersecurity, personal data privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It takes effect Feb. 1, 2022, and becomes mandatory Aug. 1, 2024, giving device manufacturers a 30-month transition period.
The new regulation covers internet-connected devices that can communicate over the internet, whether directly or via other equipment. Examples:
Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to article 4(1) and 4(2) of EU regulation 2016/679 and article 2(b) and (c) of directive 2002/58/EC).
Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article 2(d) of EU directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.
Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation.
Currently, no harmonized standards cover the scope of the RED Article 3.3 regulation. While the EU has yet to task the European Standards Organizations (ESOs) with creating such standards, the ESOs and EU Commission reportedly plan to have harmonized standards in place about 10 months before the act requirements become mandatory.
Based on workshops and presentations from the ESOs and commission, the harmonized standards will likely be based on existing IoT cybersecurity standards EN 303 645 and IEC 62443-4-2. It’s not too early to look at how these standards may impact your internet-connected product’s design. You may also consider testing products you know will be shipping to Europe in 2024 to these standards or obtaining a third-party certification that aligns with EN 303 645.
Cybersecurity Requirements in the Radio Equipment Directive