The CW Journal is back - online!

Feast your eyes on brand new in-depth technology pieces and high-quality opinion articles - all available via our new CW Journal subsite.

New Cybersecurity Requirements: Radio Equipment Directive

Member News published by UL (Underwriters Laboratories), under Handsets / Connected Devices, Internet of Things (IoT), Manufacturing, Sensors, Wide Area Networks

Learn more about Article 3.3 of the European Commission’s Radio Equipment Directive 2014/53/EU (RED) and address radio-specific device requirements ranging from common interfaces to cybersecurity.

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. The directive includes Article 3.3 as a placeholder to address device requirements related to radio-specific issues ranging from common interfaces to cybersecurity.

On Jan. 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation increases cybersecurity, personal data privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It takes effect Feb. 1, 2022, and becomes mandatory Aug. 1, 2024, giving device manufacturers a 30-month transition period.

RED Article 3.3 Cybersecurity

  • Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting website or services’ functionality. 
  • Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.
  • Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as better user authentication control to minimize fraudulent electronic payments and monetary transfers

Scope of the new regulation

The new regulation covers internet-connected devices that can communicate over the internet, whether directly or via other equipment. Examples:

  • Mobile phones, tablets and laptops
  • Wireless toys and children’s safety equipment such as baby monitors
  • Wearable devices such as smartwatches and fitness trackers

Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to article 4(1) and 4(2) of EU regulation 2016/679 and article 2(b) and (c) of directive 2002/58/EC). 

Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in article 2(d) of EU directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.

Devices already within the scope of EC regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 regulation.

Harmonized standards in development

Currently, no harmonized standards cover the scope of the RED Article 3.3 regulation. While the EU has yet to task the European Standards Organizations (ESOs) with creating such standards, the ESOs and EU Commission reportedly plan to have harmonized standards in place about 10 months before the act requirements become mandatory.

What you can do now

Based on workshops and presentations from the ESOs and commission, the harmonized standards will likely be based on existing IoT cybersecurity standards EN 303 645 and IEC 62443-4-2. It’s not too early to look at how these standards may impact your internet-connected product’s design. You may also consider testing products you know will be shipping to Europe in 2024 to these standards or obtaining a third-party certification that aligns with EN 303 645.

For more information, please visit ul.com

Subscribe to the CW newsletter

This site uses cookies.

We use cookies to help us to improve our site and they enable us to deliver the best possible service and customer experience. By clicking accept or continuing to use this site you are agreeing to our cookies policy. Learn more

Start typing and press enter or the magnifying glass to search

Sign up to our newsletter
Stay in touch with CW

Choosing to join an existing organisation means that you'll need to be approved before your registration is complete. You'll be notified by email when your request has been accepted.

i
Your password must be at least 8 characters long and contain at least 1 uppercase character, 1 lowercase character and at least 1 number.

I would like to subscribe to

Select at least one option*