Cybersecurity and the RED Article 3.3 Essential Requirements
On 12 January 2022, the EU Commission published Delegated Regulation (EU) 2022/30 which relates to Articles 3.3(d), 3.3(e), and 3.3(f) of the Radio Equipment Directive (RED).
The RED clauses in question relate to the protection of the network, protection of the user, and protection from fraud.
- Article 3.3(d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
- Article 3.3(e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and the subscriber are protected
- Article 3.3(f) radio equipment supports certain features ensuring protection from fraud
Collectively, these new requirements are being referred to as Cybersecurity.
What does Delegated Regulation (EU) 2022/30 tell us?
The Regulation outlines some of the reasons for the requirements, which types of equipment will be within the scope, and the timeline for applying the new essential requirements.
A history of this topic includes hacking of equipment via an internet connection, children and their wellbeing, and access to the location or personal information of radio equipment users. Toys or bedroom monitors have microphones and speakers with access to children, radio equipment is regularly used to connect to the internet, wearable technology is used to track our health statistics and location, while banking and payments are regularly handled online using radio equipment.
It is important to note that having a radio function is what puts equipment into the scope of the RED, but the RED covers every aspect of that equipment. Therefore, the whole product must meet the applicable parts of Article 3.3 and demonstrate cybersecurity, not just the radio link.
Products that fall into the scope of the Delegated Regulation
The Delegated Regulation (EU) 2022/30 applies to any equipment which connects to the internet, either directly or indirectly. This could include:
- Wearable technology or portable equipment with radio function, including radio equipment which could be worn or carried by a person or in their clothing.
- Equipment used to transfer money or virtual currency.
- A child’s toy with radio function, or other equipment used for childcare, such as child monitors. This type of equipment is covered by the Regulation, even if it does not have an internet connection.
The Regulation refers to the protection of the network or internet itself, and the protection of the user of the radio equipment. Therefore, the requirements apply to equipment used at both ends of internet connectivity.
Some equipment already has cybersecurity requirements applying as part of other EU Directives or Regulations and the RED Article 3.3 aspects will not be applied to that equipment. For example, medical devices and in vitro diagnostic medical devices, vehicles and vehicle systems that are subject to type approval, civil aviation equipment, and road toll systems for cross-border exchanges, are all subject to cybersecurity requirements through other Regulations and are therefore out of scope from Articles 3.3(d), 3.3(e) and 3.3(f).
Delegated Regulation (EU) 2022/30 was published in January 2022 and shall apply from 1 August 2024.
The first stage is for the EU Commission to agree on the standardization request with the International Standards Organizations, such as ETSI, CEN, and CENELEC. This is where it will be determined what type of assessments will be required if testing or calculations are needed, what the scope of the technical assessment will be, and what level of cybersecurity is considered acceptable. Until the standardization request is agreed upon, the industry does not know how to begin its assessments.
It is expected that the standardization request will be agreed upon around the end of June or July 2022. At that time, the standards groups can begin to write their standards and the industry will begin to have an idea of what the standards might contain.
As the standards develop, the assessment requirements will become clearer. On an almost month-by-month basis, the future cybersecurity requirements will come more into focus and provide a clearer picture to manufacturers, assessment laboratories, and Notified Bodies, towards the end of 2022.
When the standards have been written, they will be voted and approved by the standards writing bodies and then passed to the EU Commission for their review. If the standards meet the scope of the standardization request and are acceptable to the EU Commission, they will be added to the Official Journal of Harmonised Standards for the RED.
At this time, it looks very unlikely that the standards will be listed on the RED Official Journal of Harmonised Standards in time for the regulation to apply on 1 August 2024. Therefore, it is most likely that an EU Notified Body will be required to issue an EU Type Examination Certificate for products entering the EU market from 1 August 2024 until the standards become listed.
A Notified Body can issue a Type Examination Certificate covering the Article 3.3 cybersecurity requirements from 1 August 2024 onwards, even if the standards are still in a draft format.
There is not a transition period as such. The regulation will apply from 1 August 2024 onwards to all equipment. The requirement will not apply before 1 August 2024, and it will be mandatory
The assessment requirements
The scope and extent of the assessment requirements are being drafted and are expected to be clarified around the middle of 2022. By July 2022, it is hoped that we will have an idea about what type of assessment is needed. Even at that time, the assessment details will not be clear, but at least the topics of assessment will be known.
As an example, at this time nobody knows which tests will apply. From July 2022 onwards, we hope to know if there are tests, and what those tests are, even though we will not know the limits or methods of those tests.
Most companies involved in the RED have been working in Radio, EMC, and Safety requirements since the early days of the R&TTE Directive. The laws of physics are set, and measurement techniques for those aspects of the RED are well established. A measurement of radiated emissions today should be appropriate and relatable to a radiated emissions test 10 years ago, and 10 years from now. If you wish to assess a new radio service for EMC or radio performance, we already know which tests must be applied. It might take some expert knowledge to identify the test methods, pass/fail limits, performance levels, or spectrum sharing techniques, but all the information exists for anyone who knows how to find it. ETSI even has a guidance document EG 203 336 to indicate which tests should appear in a new EMC or radio standard.
However, with Cybersecurity, there are a couple of significant differences. Firstly, industry does not know the assessment cases, and we do not know what type of assessment the EU Commission will expect to be performed. We could guess of course, but it would be a guess. Secondly, even when we do know the assessment requirements, the parameters will be changing rapidly. A device considered cyber-secure now, would not relate to cyber secure two years ago, or two years from now. This is an important consideration for any company planning what they will do for August 2024.
We do know that the first versions of the cybersecurity standards are expected to outline the fundamental requirements, to get all applicable radio equipment up to a reasonable level of security. It is understood that some equipment has no existing cybersecurity, and the first stage will be to bring all equipment up to a suitable minimum level of acceptable security.
Preparing for the regulation
Although the Regulation does not apply until 1 August 2024, preparation will be an essential aspect of meeting the requirements. The first thing for a manufacturer to do is look at their radio equipment and ask themselves, how cyber secure is this? What do you already do to make it secure from attack? If the answer is “nothing”, then you probably have some work to do.
There are some useful standards in circulation already and these could be used as guidance for a manufacturer to work towards. ETSI EN 303 645 is a useful standard to use as guidance, although it is not intended to be listed on the RED Official Journal of Harmonised Standards. Other standards exist, such as IEC 62443.
Manufacturers can look at the design of their products and the security of it. A manufacturer could consider the consequences of their equipment being hacked, and the ease with which someone could hack it. Topics for the manufacturer to consider include:
- Complex passwords
- A way for users to report vulnerabilities
- Keeping software versions updated to combat security risks
- Using secure protocols when transmitting or receiving sensitive information
- Minimizing ways to cyber-attack the equipment
- Reduce the storing of sensitive data
- Allowing the user to delete their sensitive data
In addition, manufacturers will need to put more thought into the compliance of a device throughout its lifecycle. For EMC, safety, and radio, the assessment is typically considered at the time of placing a product on the market, and only a small number of manufacturers put sufficient thought into continued compliance during the life of the equipment. For example, if the equipment is expected to be placed on the market and then used for a period of three or four years, the manufacturer should consider if it will remain compliant during that time. Based on the type and environment of use, will the equipment continue to remain safe with good performance even after four years of use in possibly extreme conditions? With cybersecurity, this consideration by the manufacturer becomes even more important because the cyber environment could be changing around their product.
It is expected that the early standards for cybersecurity will be based on a general foundation level of compliance, and it is understood that it will not be possible to make radio ‘cyber-attack proof’. Where some types of equipment have cybersecurity requirements, such as 5G and smart meters, the basic essential requirements of RED Article 3.3 will not undermine the high level of security expected for those critical types of equipment.
In addition to the regulatory requirements of the RED, manufacturers should keep their eyes on the Cybersecurity Act, from the EU Agency for Cybersecurity.
The UK Radio Equipment Regulation does not include a cybersecurity requirement, but the UK is expected to implement cybersecurity requirements for equipment in Great Britain in the future.
The USA is also expected to introduce its cybersecurity requirements in the future.
The Element advantage
Element work in partnership with manufacturers of wireless, IoT, and radio devices in a wide range of industry sectors including the IT, Medical, Industrial, and Automotive markets.
We provide expert guidance from initial product conception onwards, supporting successful product launches and providing tailored advisory, training, testing, and certification services. Our wireless experts guide you through the whole product life-cycle, enabling you to feel in control to get your products to market quickly, smoothly, and efficiently.
We deliver on time, every time, from R&D innovation to marketplace reality.
Contact our smart experts to learn more.
More from Element
Find out about Element's comprehensive range of EMC service and testing capabilities in the USA, UK, and Germany.
ZigBee Testing and Certification
Element can help you achieve first time success when you reach the testing, approvals and certification phase.
We can help with EMC and safety testing and assist manufacturers who want to take their radio and wireless product to the global market
Electrical Product Safety Testing, Why Do So Many Products Fail?
Read our guide to learn our helpful tips and ensure your products are compliant first time.