Wireless products get new EU security legislation
The Radio Equipment Directive (RED) is applicable to all electrical and electronic devices that intentionally emit and receive radio waves at frequencies below 3,000GHz, and it establishes a regulatory framework for placing radio equipment on the market.
In the UK, the RED has been replaced by the Radio Equipment Regulations 2017, but for the foreseeable future the requirements of the UK Regulation will remain the same as those of the EU’s RED.
Joe Lomako, Business Development Manager (IoT) at TÜV SÜD, further explores.
The Delegated Act of the RED, activates Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity in devices connected to the Internet, personal data protection and privacy.
These provisions will become mandatory on 1st August 2024 and manufacturers of radio connected devices must be compliant by that date or face potential action. The reason behind this is that more and more products are employing radio technology in their applications and many of these devices connect to the Internet which could expose such products to increasing security threats and the potential to be attacked and exploited.
The text in the RED is quite brief, as detailed below:
- RED Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
- RED Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected
- RED Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud
To help manufacturers comply with these essential requirements, the European Commission issued a “standards request” to the European Standards Organisations (ESO), asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission.
What do the Essential Requirements Actually mean?
Article 3.3(d) – Protect the network
It covers radio equipment that can communicate directly through the Internet and radio equipment which can communicate over the Internet by way of another connected device. In simplistic terms, the radio product must not, nor be able to be compromised therefore causing harm to the network.
Article 3.3(e) – Privacy
This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data.
Article 3.3(f) – Protection from fraud
It will protect users who wish to use radio products to process financial transaction and protect them from compromise and fraud.
The Delegated Act was cited in the EU’s Official Journal on 12th January 2022. The legislation is presently in force, and compliance with the essential requirements becomes mandatory from 1st August 2024. This means that manufacturers now only have a year to ensure their internet connected radio devices adhere to the new provisions. This time will go very quickly so manufacturers should start including the new requirements into product technical specifications as early as possible.