Complying with the new EU rules on cybersecurity

2 min read

An update to the EU radio equipment directive now includes requirements for the cybersecurity of electronics products. UL’s Dean Zwarts discusses what manufacturers need to know about it.

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. The directive now includes Article 3.3 to address device requirements related to cybersecurity.

Why RED Article 3.3 is important

On January 12, 2022, the Official Journal of the European Union published delegated regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation increases cybersecurity, personal data privacy and fraud protection for applicable wireless devices available to the EU market. It took effect February 1, 2022, and becomes mandatory August 1, 2024, giving device manufacturers a 30-month transition period to comply with the cybersecurity requirements of Article 3.3.

What is RED Article 3.3?

What is RED Article 3.3?

Scope of the new regulation

The new regulation covers internet-connected devices that can communicate over the internet, whether directly or via other equipment. Examples include:

  • Internet-connected radio equipment such as connected appliances

  • Radio equipment intended for childcare such as toys

  • Radio equipment to be worn on, strapped to, or hung as wearable devices to human parts or clothing

The scope of RED excludes devices already within the scope of EC regulations:

  • 2019/21446: type examination for vehicles

  • 2018/11397: civil aviation

  • Directive 2019/520: electronic road-toll systems

  • Directive (EU) 2018/1972: (G equipment and smart meters

  • Regulation (EU) 2017/745 and Regulation (EU) 2017/746: rules on medical devices

These have similar security requirements but do not fall under the new Article 3.3 regulation.

Harmonized standards in development

Currently, no harmonized standards(HEN) cover the scope of the RED Article 3.3 regulation. While the EU has yet to task the European Standards Organizations (ESOs) with creating such standards, the ESOs and EU Commission reportedly plan to have a HEN in place prior to the applicable date.

Considering that the harmonized standard is still pending, in the interim it is proposed that customers get compliance ready, and can use EN 303 645 or IEC 62443 as a baseline to achieve a formal certification by a Certification Body(CB).

What will manufacturers need to do?

As a manufacturer it is important to understand whether or not your product is affected by the new RED Article 3.3 addressing cyber security, and if you want to truly get ahead of the requirements you could comply with the Article 3.3 (d) and / or (e) and / or (f) now but it would have to be based on non-harmonized standards and therefore involve your notified body (such as UL).

It’s not too early to look at how you can use this baseline of standards to assess your internet-connected product’s design. You may also consider testing products that will be shipping to Europe in 2024 to these standards or obtaining a third-party certification that aligns with EN 303 645 while providing proof of compliance to RED requirements.

This article was written by Dean Zwarts, global business manager for cybersecurity at UL