On October 27, 2023, the Official Journal of the European Union published an amendment to the RED Authorisation Regulation (EU) 2022/30, in which the date description of the mandatory implementation time in Article 3 was updated to August 1, 2025.
The RED Authorisation Regulation (EU) 2022/30 is an official journal of the European Union that stipulates that manufacturers of relevant products must take into account the cybersecurity requirements of the RED Directive, namely RED 3(3) (d), RED 3(3) (e) and RED 3(3) (f), in their reference and production.
Article 3.3(d) radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service
This clause is applicable to equipment that connects to the internet, directly or indirectly.
Article 3.3(e) radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and the subscriber are protected
This clause is applicable to equipment that is capable of processing personal data, traffic data, or location data. Also, equipment exclusively for childcare, equipment that may worn on, strapped to, or hung from any part of the head or body, including clothing, and other internet-connected equipment.
Article 3.3(f) radio equipment supports certain features ensuring protection from fraud
This clause is applicable to equipment that connects to the internet, directly or indirectly and allows the user to transfer money, monetary value, or virtual currency.
Preparing for the regulation
Although the Regulation does not apply until 1 August 2025, preparation will be an essential aspect of being ready to meet the requirements. The first thing for a manufacturer to do is look at their radio equipment and ask themselves, how cyber secure is this? What do you already do to make it secure from attack? If the answer is “nothing”, then you probably have some work to do.
Regarding compliance with the RED, the manufacturer should look specifically at the requirements listed above and consider how they meet those requirements. The assessment standards, when complete, will provide clear and detailed ways to demonstrate compliance with the requirements.
Some manufacturers already know how to evaluate their products and how to demonstrate that they meet the standardization requirements and the requirements listed in this document. Some manufacturers may have already made such an assessment of their own quality systems.For other manufacturers, BTF will be available to help.There are some useful standards in circulation already and these could be used to assist the manufacturer and test labs in assessment approaches. ETSI EN 303 645 contains sections specifically related to the topics described above, such as updating software, monitoring data traffic, and minimizing exposed attack surfaces.
BTF’s cybersecurity team is available to help explain the standards and guide manufacturers through the process of applying the standards and performing cyber assessments. If you have any questions, please feel free to contact us!
Post time: Nov-02-2023
