Cyber security to become a requirement for CE marking

Cyber security will become a requirement for CE marked radio equipment under the Radio Equipment Directive (RED) on equal terms with today’s requirements for electrical safety, electromagnetic compatibility (EMC) and radio.

When you first read this, your initial thought may be that this change derives from an amendment to the existing RED. However, this is far from the case.

Cyber security has always been a part of RED
The Radio Equipment Directive (commonly referred to as RED) is the directive applicable for most radio products, including typical Internet of Things (IoT) products. The directive specifies standards and requirements for radio, EMC, and electrical safety. To most people it will come as a surprise that cyber security has also always been a part of RED – more specifically part of its ‘article 3’. The reason most people do not know this, is that article 3 was never implemented due to uncertainty on how to verify compliance.

But this is about to change.

The European Commission has drafted a text implementing RED’s article 3 – i.e. the cyber security requirements – and simultaneously requested CENELEC (European Committee for Electrotechnical Standardization), CEN (European Committee for Standardization) and the Standardization Organization ETSI to make standards covering these new requirements.

These new cyber security requirements will apply from 30 months after publication in the Official Journal of the EU and will be binding for all member states. This may seem like a long time, but it is most likely within the lifespan of products that are under development right now.

More on article 3...
To be more precise we need to focus our attention on part 3 (d), (e) and (f) of article 3. Briefly explained, the requirements under article 3,3 include:

(d) Not to harm or misuse networks, causing unacceptable reduction of service
(e) Protection of personal data and privacy
(f) Protection from fraud

As we see, the requirements are quite vague, much like for other directives like the Low Voltage Directive (LVD), hence the need for a standard before the requirements are implemented.

Which products are included?
The European Union’s (EU) implementation of RED article 3 means that the above requirements will be mandatory for the following products:

(d) Any radio equipment communicating over the internet, directly or indirectly
(e) All radio equipment processing personal data or traffic data and location data e.g.

• Internet-connected radio equipment
• Radio equipment for childcare
• Radio equipment within the Toy Safety Directive
• Wearable radio equipment

Products excluded from the new cyber security requirements are equipment covered by Medical Device or In-Vitro Regulation, as well as Aviation, Vehicles and Road Toll systems.

What should manufacturers do?
As I said in the beginning: when this amendment is implemented, cyber security will be required for CE marking, just as safety, EMC and radio is today. The precise requirements are not yet defined, pending CEN, CENELEC and ETSI to make the new standards covering the newly implemented articles.

This will not be until 30 months after publication in the EU’s Official Journal, so in the meantime, the most relevant European standard to take notice of is the ETSI/EN 303 645 standard published in 2020. This standard covers consumer IoTs, which is very much the scope of the products affected.

My clear advice to the manufacturers is that they ensure their products are in compliance with the ETSI/EN standard, both as a preparation for the coming RED requirements, but also to cover the already implemented General Data Protection Regulation (GDPR) requirement. The GDPR also includes requirements both to privacy and cyber security which are also covered by the ETSI/EN 303 645.

Contact Nemko today to hear more about how we can help you.