Cybersecurity for radio equipment

Every day more and more wireless devices (radio equipment) are put on the European market. Cyber threats are a quickly worldwide growing risk for every consumer.

In 2020, the European Commission introduced their Cybersecurity Strategy. With this strategy, the EU aims to ensure the security of essential services, such as hospitals and energy networks, as well as the safety of the rapidly increasing number of connected devices in our homes, offices, and factories.

Regulation (EU) 2022/30

To implement the strategy for consumer products, the essential requirements in Article 3(3)(d), (e), and (f) of the Radio Equipment Directive (RED) 2014/53/EU have been updated through Delegated Regulation (EU) 2022/30, specifying the categories of radio equipment to which these articles apply. With this regulation, the design of wireless devices should guarantee a sufficient level of cybersecurity, personal data protection and user privacy.

The regulation enters into force on 1 August 2025.

Essential requirements

The Radio Equipment Directive sets out essential requirements regarding electrical safety, electromagnetic compatibility, efficient use of radio frequencies, and specific requirements for certain product categories.

With regard to cybersecurity, the following articles are involved:

• Article 3(3) (d) states to internet-connected radio equipment, whether communicating directly or through other devices, must not harm the network, disrupt its functioning, or misuse network resources, as this could lead to unacceptable degradation of services.
• Article 3(3) (e) includes security measures for radio equipment capable of processing personal data, traffic data and location data. These essential requirements apply to:
  1. Electronic devices capable of communicating via the internet, such as smartphones, tablets, cameras, IoT devices. As long as they do not fall under Article 3(3) point (b), (c) or (d).
  2. Radio equipment designed for childcare, e.g. child monitors.
  3. Wireless toys falling under Toy Safety Directive 2009/48/EC that record, store or share information (photos, videos, location data), interact with the user. Especially when speakers, microphones and other sensors are integrated.
  4. Wearable radio equipment designed to be worn on, strapped to or hung on the head, neck, trunk, arms, hands, legs or feet. This also includes any headwear, hand wear or footwear, such as a smartwatch, ring, fitness trackers, headset, earphone or glasses.
• Article 3(3) (f) defines essential requirements for money, monetary value, or virtual currency that can be transferred. Internet-connected radio equipment should include features to ensure protection against fraud.

Exemptions

The essential requirements above do not apply to medical and in-vitro medical devices (Regulation (EU) 2017/745 and (EU) 2017/746) or Radio equipment for motor vehicles (Regulation (EU) 2019/2144).

How to comply with this legislation?

When radio equipment is placed on the European market, it must be ensured that it complies with the essential requirements. Compliance with the RED can be demonstrated by performing a conformity assessment. 

The EU Declaration of Conformity should be drawn up, and CE marking affixed.

The EN 18031-x standards will soon be harmonised in support of Article 3(3) points (d), (e) and (f) of Directive 2014/53/EU, for the categories specified by Delegated Regulation (EU) 2022/30.

These standards may be used to perform a conformity assessment and can thus provide a presumption of conformity with the corresponding essential requirements.

Notified Bodies

If the manufacturer does not apply harmonised standard for the compliance with the essential requirements set out above, then the assessment shall be done by a Notified Body.

A list of notified bodies authorised to carry out conformity assessment according to Article 3.3(d), (e) and (f) of Directive 2014/53/EU can be found on NANDO.

Privacy

Refer to this article on ProductIPedia for information about protection of privacy for internet of things.