RED Directive: The Cybersecurity Compliance Countdown – Part 2

Tags:

Closeup women eye being futuristic vision for biometric authentication to unlock security, digital technology screen over the eye vision background, security and command in the accesses. Surveillance and safety concept

22 Apr 2025

The First Step to RED Compliance is Risk Assessment

A cybersecurity risk assessment isn’t a checkbox exercise – it’s the foundation of compliance. Under the Radio Equipment Directive (RED), manufacturers must identify vulnerabilities early in the design phase to mitigate security risks before they become costly problems.

Step-by-Step Guide to a RED-Compliant Risk Assessment

For self-declaration, you must use the harmonized standard EN 18031-series. Buy it!
Security Asset Identification: Map all components (hardware, software, data flows) in your product. Understand what needs protection.
Threat Modeling: Use frameworks like STRIDE to predict attack vectors:
- Spoofing: Unauthorized device access.
- Tampering: Physical or digital manipulation.
- Repudiation: Lack of audit trails for transactions.
- Information Disclosure: Data leaks or unauthorized exposure.
- Denial of Service (DoS): Overloading a device with traffic.
- Elevation of Privilege: Gaining unauthorized higher-level access.
Risk listing and Prioritization: Rank vulnerabilities based on likelihood and impact. A high-risk vulnerability could be a weak default password, whereas a low-risk vulnerability might be an outdated UI component with no security function.
Mitigation Strategies: Implement security best practices, such as strong encryption, access controls, and regular software updates.
Continuous Monitoring: Risk assessments are not a one-time effort. Regularly update security measures as threats evolve.

Possible Scenario

A smart lock company discovers during testing that unencrypted Bluetooth communication allowed hackers to bypass authentication. Early identification could have made them save several hundred thousand euros in post-market recalls and avoided reputational damage.

Recommended Tools

ETSI TR 103935: Provides details on characteristics for a good risk assessment methodology.
Regular Penetration Testing: Identifies vulnerabilities proactively.
Threat Intelligence Feeds: Use platforms like MITRE ATT&CK for up-to-date attack trends.

Final Thought

A proactive risk assessment saves manufacturers from expensive product redesigns and reputational damage.

Joakim Mark

Technical Manager

Joakim Mark joined Intertek in 2021 as the Technical Manager for the Common Criteria Lab in Kista, Sweden, progressively expanding his role as lab manager and member of the IoT cybersecurity team in Kista, Sweden. Overall, Joakim brings more than 30 years of IT industry experience spanning both technical and strategic roles.