Q: How to deal with equipment containing an already certified Radio module in the end-system?
A: Whether a radio module is already certified according to the traditional requirements of RED, or not, does not have any impact on the cyber security requirements.
Q: Is article 3.3 (d)(e)(f) really mandatory for products already on the market? I have seen multiple firm statements to the contrary, and that it is only mandatory for products being launched AFTER Aug 1st 2024
A: This is a misunderstanding. The requirements are applicable to products “put on the market” after Aug 1st 2024 – HOWEVER, “put on the market” is when that individual product was put on the market.
Example: Products already in the stores Aug 1st 2024 will not be affected by the new requirements – but the next batch coming from production will be included in the scope – even if similar products are sold earlier.
Q: How will manufacturers have to show compliance when distributing products around the world? Will a piece of evidence be required for each country schemes/regulations? Or will it be a developed worldwide/common evidence? In practice otherwise you will have to prepare like more than 50 documents to be written and maintain.
A: Cyber security has really no national dependencies, but it is unlikely that there will be one standard being used by all countries, at least initially. However, some standards are fairly similar, so it should be possible to combine these into one evaluation. If IEC would adopt the ETSI/EN 303 645 as IEC standard, that would speed up the alignment process by many years!
Q: What happens if the standard to measure compliance to EU RED is not available by 1 August 2024?
A: The RED states that a Notified Body would need to be used if no relevant, harmonized standard is published. That is currently being discussed among the Notified Bodies, but we hope the harmonized standard is scheduled as planned.
Q: It is my understanding that 3.3 (d) applies to all internet connected products. Do we have a good understanding of how internet connected will be defined?
A: The definition of being internet connected is having access to public internet either directly or indirectly, e.g. through a router. Products for children / childcare are in the scope regardless of internet connection.
Q: How will a product manufacturer demonstrate compliance to the standard developed for EU RED?
A: Basically, the same way as e.g., for safety today – by a test report being a part of the products technical construction file. This report may be done by the manufacturer or by a third party.
Q: Is there any certification marks for cyber security that a consumer can look for to be sure that an IoT product is safe?
A: Today, there are actually very few – e.g. like the Finnish or German labels, in addition to a few private certification labels. But this covers a very low percentage of the product in the market.
Looking for other certification marks. Like for safety, may give an indication of the maturity of the manufacturer. A product having CE marking only is something I would definitely avoid.
Q: How are medical devices including internet connectivity via radio affected?
A: Products under the Medical Equipment Directive and In Vitro Directive are not covered by RED article 3.3 d, e or f.
Q: What are the requirements for luminaires with Dali connection (can be connected to the Internet)?
A: Connected luminaries are in the scope of RED. Which protocols are being used, is not relevant for the products in the scope.
