Cybersecurity and the RED Article 3.3 Essential Requirements

On 12 January 2022, the EU Commission published Delegated Regulation (EU) 2022/30 which relates to Articles 3.3(d), 3.3(e), and 3.3(f) of the Radio Equipment Directive (RED).

The RED delegated act clauses in question relate to the protection of the network, protection of the user, and protection from fraud.

• Article 3.3(d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
• Article 3.3(e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and the subscriber are protected
• Article 3.3(f) radio equipment supports certain features ensuring protection from fraud

Collectively, these new requirements are being referred to as Cybersecurity.

Delegated Regulation (EU) 2022/30

The Regulation outlines some of the reasons for the requirements, which types of equipment will be within the scope and the timeline for applying the new essential requirements.

A history of this topic includes hacking of equipment via an internet connection, children and their well-being, and access to the location or personal information of radio equipment users. Toys or bedroom monitors have microphones and speakers with access to children, radio equipment is regularly used to connect to the internet, wearable technology is used to track our health statistics and location, and banking and payments are regularly handled online using radio equipment.

It is important to note that having a radio function is what puts equipment into the scope of the Radio Equipment Directive (RED), but the RED covers every aspect of that equipment. Therefore, the whole product must meet the applicable parts of Article 3.3 and demonstrate cybersecurity, not just the radio link.

Products that fall into the scope of the Delegated Regulation

The Delegated Regulation (EU) 2022/30 applies to any equipment which connects to the internet, either directly or indirectly. This could include:

• Wearable technology or portable equipment with radio function, including radio equipment which could be worn or carried by a person or in their clothing.
• Equipment used to transfer money or virtual currency.
• A child’s toy with radio function, or other equipment used for childcare, such as child monitors. This type of equipment is covered by the Regulation, even if it does not have an internet connection.

The Regulation refers to the protection of the network or internet itself and the protection of the user of the radio equipment. Therefore, the requirements apply to equipment used at both ends of internet connectivity.

Some equipment already has cybersecurity requirements applying as part of other EU Directives or Regulations and the RED Article 3.3 aspects will not be applied to that equipment. For example, medical devices and in vitro diagnostic medical devices, vehicles and vehicle systems that are subject to type approval, civil aviation equipment, and road toll systems for cross-border exchanges, are all subject to cybersecurity requirements through other Regulations and are therefore out of scope from Articles 3.3(d), 3.3(e) and 3.3(f).

Some types of equipment are within the scope of the RED requirements but are already subject to national laws regarding cybersecurity in some EU member states, so care will be taken not to change those requirements, but to harmonize them and make them part of the assessment process.

Timeline

When first published, Delegated Regulation (EU) 2022/30 included a start date of 1 August 2024 but this has now been moved to 1 August 2025.

The first stage was the publication of Delegated Regulation (EU) 2022/30, in January 2022.

The second stage was for the EU Commission to agree on the standardization request with an International Standards Organization. This stage is where it has been determined what type of assessments will be required if testing or calculations are needed, and what the scope of the technical assessment will be. The EU Commission made the decision to submit their standardization request to CEN/CENELEC, and the request was published on 5 August 2022.

The third stage was for CEN/CENELEC to accept the standardization request and present a project plan and timeline to the EU Commission, on how CEN/CENELEC proposes to meet the requirements detailed in the standardization request. The standard is now in progress and the timeline has been amended such that the harmonized standard is planned to be available in June 2024.

Technical experts and contributors, including representatives from Element, in the CEN/CENELEC committee have begun drafting the requirements, with a plan to create standards that could be listed on the RED Official Journal of harmonized standards. It is expected that there will be at least three standards, covering Article 3.3(d), 3.3(e), and 3.3(f).

Therefore, at the time of writing this document, we know which equipment is in scope, we know the type of criteria required for each part of Article 3.3, and we know the assessment standards are in progress.

When the standards have been written and published by CEN/CENELEC, they will be voted and approved, then passed to the EU Commission for their review. If it is decided that the standards meet the scope of the standardization request and are acceptable to the EU Commission, they will be added to the Official Journal of Harmonised Standards for the RED.

Industry will know the final assessment or test procedures for applying the standards when the publication of the standards is complete, and the EU Commission has listed them on their Official Journal of Harmonised Standards for the RED.

As these CEN/CENELEC standards develop, the assessment process will become clearer. It is not a case of waiting years to see what the final assessment process will be. From now on, on an almost month-by-month basis, the standards will come into focus and provide a clearer picture to manufacturers, assessment laboratories, and Notified Bodies of what they will become. By the time the standards are finally listed in the Official Journal, we will already know what they contain.

If the standards are not listed on the RED Official Journal of Harmonized Standards in time for the regulation to begin on 1 August 2025, it will be possible for the manufacturer to proceed with their products to market by working with an EU Notified Body. In such a case, the EU Notified Body will be required to review the manufacturer’s technical documentation and issue an EU Type Examination Certificate for radio equipment entering the EU market from 1 August 2025, until the standards do become listed.

A Notified Body can issue an EU Type Examination Certificate (EU-TEC) covering the Article 3.3 cybersecurity requirements from 1 August 2025 onwards, even if the standards are still in a draft format. It may be possible for the Notified Body to issue their EU-TEC before 1 August 2025, such that the EU-TEC would be ready to become active on 1 August 2025. However, it may be unwise for the manufacturer to request an EU-TEC until the standards have become stable because the EU-TEC expires if standards change.  For example, an EU-TEC issued in 2023 or 2024 for Articles 3.3(d), 3.3(e), or 3.3(f) would most likely expire before it even becomes a valid document on 1 August 2025.

There is not a transition period as such. The regulation will apply from 1 August 2025 onwards to all equipment.  The requirement will not apply before 1 August 2025, and it will be mandatory after 1 August 2025. Therefore, the time until 1 August 2025 is more of a ‘preparation period’.

The assessment requirements

While we may not have test or assessment methods and procedures yet, we do now know the content of the standardization request and therefore we do know what the requirements are that equipment will need to meet, from 1 August 2025 onwards.

We know the following about the three applicable aspects of RED Article 3.3:

• Article 3.3(d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service

This clause is applicable to equipment that connects to the internet, directly or indirectly.

The radio equipment shall:

(a) Include elements to monitor and control network traffic, including the transmission of outgoing data

(b) Be designed to mitigate the effects of ongoing denial of service attacks

(c) Implement appropriate authentication and access control mechanisms

(d) Be provided, on a risk basis, with up-to-date software and hardware at the moment of placing on the market that do not contain publicly known exploitable vulnerabilities as regards harm to the network or its functioning or misuse of network resources

(e) Be provided with automated and secure mechanisms for updating software or firmware that allow, when necessary, the mitigation of vulnerabilities that if exploited may lead to the radio equipment harming the network or its functioning or the misuse of network resources

(f) Protect the exposed attack surfaces and minimize the impact of successful attacks

• Article 3.3(e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and the subscriber are protected

This clause is applicable to equipment that is capable of processing personal data, traffic data, or location data. Also, equipment exclusively for childcare, equipment that may worn on, strapped to, or hung from any part of the head or body, including clothing, and other internet-connected equipment.

The radio equipment shall:

(a) Protect stored, transmitted, or otherwise processed personal data against accidental or unauthorized processing, including storage, access, disclosure, destruction, loss or alteration or lack of availability

(b) Implement appropriate authentication and access control mechanisms

(c) Be provided, on a risk basis, with up-to-date software and hardware at the moment of placing on the market that does not contain publicly known exploitable vulnerabilities as regards data protection and privacy

(d) Be provided with automated and secure mechanisms for updating software or firmware that allow, when necessary, the mitigation of vulnerabilities that if exploited may lead to unauthorized processing, including storage, access, disclosure, destruction, loss or alteration, or lack of availability of personal data

(e) Include functionalities to inform the user of changes that may affect data protection and privacy

(f) Log the internal activity that can have an impact on data protection and privacy

(g) Allow users to easily delete their stored personal data, enabling the disposal or replacement of equipment without the risk of exposing personal data

(h) Protect the exposed attack surfaces and minimize the impact of successful attacks

The standardization request clarifies that it is important for assessments of smartphones, equipment for childcare, radio-enabled toys, smart meters, and 5G networks shall consider other regulations and not undermine the assessments covered by such regulations.

• Article 3.3(f) radio equipment supports certain features ensuring protection from fraud

This clause is applicable to equipment that connects to the internet, directly or indirectly and allows the user to transfer money, monetary value, or virtual currency.

The radio equipment shall:

(a) Protect stored, transmitted, or otherwise processed financial or monetary data against accidental or unauthorized processing, including storage, access, disclosure, destruction, loss or alteration or lack of availability

(b) Implement appropriate authentication and access control mechanisms

(c) Be provided, on a risk basis, with up-to-date software and hardware at the moment of placing on the market that does not contain publicly known exploitable vulnerabilities as regards financial or monetary data

(d) Be provided with automated and secure mechanisms for updating software or firmware that allow, when necessary, the mitigation of vulnerabilities that if exploited may lead to unauthorized processing, including storage, access, disclosure, destruction, loss or alteration, or lack of availability of financial or monetary data

(e) Log the internal activity that can have an impact on financial or monetary data

(f) Protect the exposed attack surfaces and minimize the impact of successful attacks

For all of the RED Article 3.3 parts, it is assumed that the first versions of the cybersecurity standards will set assessment levels for the fundamental requirements, to get all radio equipment within scope of the requirement up to a reasonable level of security. Some equipment likely has no existing cybersecurity or resilience, and the first stage will be to bring all equipment to a suitable minimum level of acceptable security.

Preparing for the regulation

Although the Regulation does not apply until 1 August 2025, preparation will be an essential aspect of being ready to meet the requirements. The first thing for a manufacturer to do is look at their radio equipment and ask themselves, how cyber secure is this? What do you already do to make it secure from attack? If the answer is “nothing”, then you probably have some work to do.

Regarding compliance with the RED, the manufacturer should look specifically at the requirements listed above and consider how they meet those requirements. The assessment standards, when complete, will provide clear and detailed ways to demonstrate compliance with the requirements; but there is nothing to stop a manufacturer from working on ensuring their equipment could achieve those goals in the meantime.  Even when the standards are published, the application of a harmonized standard is not the only way to demonstrate compliance with the RED.

Some manufacturers will already have ideas of how they could assess their product and how they could demonstrate compliance with the requirements listed in the standardization request, and in this document. It is possible that some manufacturers already have such assessments in place, for their own quality system.  For other manufacturers, companies like Element will be available to help.

For those who seek assistance, there are some useful standards in circulation already and these could be used to assist the manufacturer and test labs in assessment approaches.  ETSI EN 303 645 contains sections specifically related to the topics described above, such as updating software, monitoring data traffic, and minimizing exposed attack surfaces.

EN 303 645 is a useful standard to use as guidance, although it is not intended to be listed on the RED Official Journal of Harmonised Standards, and it does not contain all the information necessary to meet the RED.

Other standards also exist, such as the IEC 62443 series for industrial, automation and control.

Element’s cybersecurity team is available to help explain the standards and guide manufacturers through the process of applying the standards and performing cyber assessments

In all cases, Element’s EU Notified Bodies will be available to evaluate the manufacturer’s cybersecurity assessment and provide a review to determine compliance with the RED. An EU Notified Body will be able to issue their Type Examination Certificates to Article 3.3(d), 3.3(e), and 3.3(f), which will be a legally valid document from 1 August 2025.

Manufacturers will need to put more thought into the compliance of a device throughout its lifecycle. For the RED, as with most EU Directives, the assessment is considered at the time of placing a product on the market, and only a small number of manufacturers put sufficient thought into continued compliance during the life of the equipment. For example, if the equipment is expected to be placed on the market and then used for a period of three or four years, the manufacturer should consider if it will remain compliant during that time. Based on the type of product and environment of use, the manufacturer should consider if the equipment will continue to remain safe with good performance even after four years of use in possibly extreme conditions. Poor quality components or software could result in a product that becomes non-compliant within the lifetime of the product. This applies to all aspects of the RED, such as Safety, EMC, and Radio Performance.  With cybersecurity, this consideration by the manufacturer becomes even more important because the cyber environment could be changing around their product; hence the requirements relating to software and firmware updates.

Other considerations

On 15 September 2022, the Cyber Resilience Act (CRA) was published in Europe, to bolster cybersecurity rules and ensure more secure hardware and software products on the EU market.

A significant consideration of the CRA, compared to the RED, is that the RED covers only radio equipment, whereas the CRA covers hardware and software products, and any product containing digital operations.

The main objectives of the CRA are to ensure that digital products placed on the market in the EU have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout the product’s lifecycle, to improve the security of hardware and software products, and to give better protection to users of digital equipment. This would be a horizontal Act, covering radio and non-radio-enabled equipment, not just equipment in the scope of the RED.

The CRA is intended to complement the EU regulatory requirements.

The UK Radio Equipment Regulation does not include a cybersecurity requirement, but the UK has announced its own cybersecurity regulation, called the UK Product Security and Telecommunications Infrastructure.  It is based on an assessment of EN 303 645 and becomes mandatory for any manufacturer selling equipment in the scope of the regulation, in the UK, from 29 April 2024!

The USA is also introducing cybersecurity requirements, including labeling requirements to demonstrate cyber resilience.

The Element advantage

Element works in partnership with manufacturers of wireless, IoT, and radio equipment in a wide range of industry sectors including the consumer, commercial, IT, Medical, Industrial, and Automotive markets.

We provide expert guidance from initial product conception onwards, supporting successful product launches and providing advisory, training, testing, and certification services.  

Our experts are available to guide you through the regulatory compliance process, considering the regulations at the time of sale and the whole product lifecycle, enabling you to feel in control to get your products to market quickly, smoothly, and efficiently.

Element has many EU Notified Bodies, located in Europe, North America, and Asia.

Our highly experienced Notified Body team is familiar with the complex requirements of the Radio Equipment Directive, and we understand the process for assessing products in the absence of harmonized standards in the Official Journal.

We strive to deliver on time, every time, from R&D innovation to marketplace reality. Contact our smart experts today.