Preparing for Radio Equipment Directive (RED) Cybersecurity Compliance
08 Oct 2024
What EN 18031 Means for Electrical Product Manufacturers
The European Union's Radio Equipment Directive (RED) has seen significant updates with the introduction of new cybersecurity requirements. These changes, particularly in Articles 3.3(d), (e), and (f), focus on the protection of networks, safeguarding personal data, and preventing fraud. For product manufacturers, especially those producing radio equipment that communicates over the internet or handles personal data, compliance with these regulations is essential to access the EU market.
Additionally, the release of the EN 18031 series of standards adds another layer of complexity. While this set of standards was developed to meet the RED cybersecurity requirements, it has not yet been harmonized, complicating the path to presumed conformity. This post will guide manufacturers through these evolving requirements and offer a roadmap for aligning with the necessary standards before the August 2025 deadline.
Understanding the Requirements of RED 3.3(d), (e), and (f)
The Radio Equipment Directive was amended to introduce cybersecurity requirements through Articles 3.3(d), (e), and (f). These requirements apply to radio equipment connected to the internet or handling personal data, ensuring a higher level of protection for networks, users, and their data.
- Article 3.3(d): Network Protection
Radio equipment must not harm network function or misuse network resources, which could degrade service quality. This applies to any internet-connected radio equipment capable of exchanging data. - Article 3.3(e): Privacy Protection
Radio equipment must include measures that protect users' personal data and privacy. This requirement covers all devices capable of transmitting personal, traffic, or location data, even if they don't have internet connectivity. Specific products such as toys with radio functions, childcare products, and wearable technology fall under this category. - Article 3.3(f): Fraud Prevention
Radio equipment must incorporate features that prevent fraud, particularly in devices that enable monetary or virtual currency transfers.
Scope Considerations
Certain product categories, such as those regulated by the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), fall outside the scope of these RED requirements. Additionally, motor vehicles, civil aviation equipment, and electronic road toll systems fall outside the scope of the provisions of Articles 3.3(e) and (f).
Timeline for Compliance
Manufacturers originally faced an August 1, 2024, deadline to comply with the new cybersecurity requirements. However, this deadline has been extended by a year, giving manufacturers until August 1, 2025, to ensure compliance. Despite this extension, manufacturers should prioritize these updates to avoid bottlenecks and costly disruptions to product launches.
Compliance Process: How to Meet the RED Requirements
To demonstrate compliance with the RED cybersecurity requirements, manufacturers must apply harmonized standards if available. Currently, no harmonized standards exist for Articles 3.3(d), (e), and (f). In the absence of harmonized standards, manufacturers must apply state-of-the-art practices and work with a Notified Body to complete the necessary conformity assessments.
A risk assessment is also a key component of the compliance process. This evaluation helps identify potential gaps in conformity and ensures that all cybersecurity risks are mitigated.
Risk of Non-Compliance
Failing to comply with the RED cybersecurity requirements carries significant risks. Manufacturers who do not meet these standards could face fines, product recalls, or even bans on selling their products in the EU market.
The cost of non-compliance is not limited to regulatory penalties; it can also damage a company's reputation and lead to lost market opportunities. Therefore, it is essential to ensure that products are fully compliant by the August 2025 deadline, as the risks of delays or failures are too great to ignore.
Software Updates and Cybersecurity Maintenance
Even after a product is launched, manufacturers need to ensure ongoing compliance through software updates and cybersecurity maintenance. Many radio devices continue to receive software patches after they are sold, meaning cybersecurity requirements must be maintained throughout the product's lifecycle.
Manufacturers should develop processes for securely providing regular updates, particularly in response to newly identified cybersecurity threats, ensuring that their products remain compliant even as technology evolves. Ongoing cybersecurity vigilance is not just a pre-market requirement but an operational necessity.
Introduction of EN 18031: Current Status and Its Role in Compliance
The EN 18031 series of standards was developed specifically to address the cybersecurity requirements outlined in RED Articles 3.3(d), (e), and (f). This series comprises three parts:
- EN 18031-1 focuses on network protection (Article 3.3(d)).
- EN 18031-2 addresses privacy concerns (Article 3.3(e)).
- EN 18031-3 covers fraud prevention (Article 3.3(f)).
Although these standards were published in August 2024 by CEN-CENELEC, they have not been harmonized. The Harmonized Standards consultant rejected their harmonization, citing the need for revisions. Without harmonization, manufacturers cannot rely on the presumption of conformity and must engage a Notified Body for certification.
Steps Manufacturers Should Take Now
Given the complexity and the impending deadline, manufacturers should take proactive steps to align with the RED requirements and avoid delays. The following actions are essential:
- Conduct a Cyber Risk Assessment
A comprehensive risk assessment is crucial to identify and address cybersecurity vulnerabilities within your product. - Select Appropriate Standards
Although the EN 18031 series directly applies to the RED requirements, manufacturers may also consider alternative standards such as ETSI EN 303 645 or IEC 62443. However, any gaps in these standards must be addressed. - Prepare Technical Documentation
Manufacturers need to develop thorough technical documentation to demonstrate compliance with the selected standards. - Begin Testing Early
Independent testing is vital to ensure that products meet the required standards and pass conformity assessments without delays. - Engage a Notified Body
To ensure regulatory requirements are met, manufacturers should collaborate with a Notified Body for conformity assessments under the RED.
Future-Proofing for Upcoming EU Regulations
Manufacturers should also be aware of upcoming regulations like the EU Cyber Resilience Act, which will introduce further cybersecurity requirements for products sold in the EU. Designing products and organizational processes with these future regulations in mind will reduce the need for costly redesigns down the line. Manufacturers should continuously monitor the regulatory landscape to ensure their products are not only compliant with current standards but are also prepared for future legislative changes. This forward-thinking approach can save time and resources in the long run.
How Intertek Can Assist
Intertek offers a comprehensive suite of services to support manufacturers through their RED compliance journey. From initial risk assessments and documentation to independent testing and gap analysis, our global team of experts can help ensure your product is market-ready by the August 2025 deadline. We specialize in fast-tracking compliance with standards such as EN 18031, ETSI EN 303 645, and IEC 62443.
Contact us today to ensure your products are compliant with the RED cybersecurity requirements and avoid costly delays.
