Radio Equipment Directive (RED) Now includes Cybersecurity Requirements
Measures aim to improve network resilience, protect consumer privacy, and reduce the risk of fraud
04 April 2023
Radio equipment can only be placed onto the European market if it complies with regulatory requirements set forth within the Radio Equipment Directive 2014/53/EU (RED). The RED establishes essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. However, as wireless devices like smart phones, fitness trackers, and toys have proliferated our everyday lives, the European Commission recognized the need to address the risk impacts related to cyber threats. As a result, in February 2022, the European Commission updated the RED to include additional provisions related to cybersecurity, which go into effect starting August 1, 2025. Compliance to the new cybersecurity provisions will be mandatory in order to achieve CE marking from that point forward.
The three (3) new RED cybersecurity requirements for radio equipment that manufacturers need to be aware of are outlined in Article 3.3 as follows:
- radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
- radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected
- radio equipment supports certain features ensuring protection from fraud
According to the European Commission, the new requirements aim to:
- Improve network resilience: Wireless devices and products will have to incorporate features to avoid harming communication networks and prevent the possibility that the devices are used to disrupt website or other services functionality.
- Better protect consumers' privacy: Wireless devices and products will need to have features to guarantee the protection of personal data. The protection of children's rights will become an essential element of this legislation. For instance, manufacturers will have to implement new measures to prevent unauthorised access or transmission of personal data.
- Reduce the risk of monetary fraud: Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
All manufacturers who declare conformity to the Radio Equipment Directive will be impacted by the new cybersecurity requirements. Products covered by the scope include internet-connected radio equipment, childcare and toy radio equipment, and wearable equipment. Notably, however, medical devices are not in scope.
The European Commission has delegated CEN/CENELEC to develop EN harmonized standards in readiness for the August 1, 2025 deadline. Even without harmonized standards in place, Intertek, as a NANDO listed Notified Body for the RED, can conduct evaluation and Certification of Radio Equipment using state-of-the-art reference material as part of the conformity assessment process.
As a Notified Body in the EU for the Radio Equipment Directive (RED), Intertek can evaluate products to Article 3.3, including the new cybersecurity and emergency tracking function. In addition, Intertek also offers Cyber Assured services and 3rd party certification, including penetration testing, vulnerability assessments, and assessment against current standards such as ETSI EN 303 645.