Wireless Technology
New EU security legislation for wireless products
By Joe Lomako, business development manager (IoT) at TÜV SÜD, a global product testing and certification organisation
O
n 12th January 2022, the European Commission updated the Radio Equipment Directive (RED), to include additional legislation related to
security (2022/30/EU). The RED is applicable to all electrical and electronic devices that intentionally emit and receive radio waves at frequencies below 3000 GHz, and it establishes a regulatory framework for placing radio equipment on the market. In the UK, the RED has been replaced by the Radio Equipment Regulations 2017. However, as EU Directives have been transposed into National Law, the UK already has a legal system in place that applies. This means that for the foreseeable future, the requirements of the UK Regulation will remain the same as those of the EU’s RED, so throughout this article we will refer to the RED.
New security requirements The European Commission has adopted a Delegated Act of the RED, activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy. The update mandates cybersecurity, personal data and privacy protection for devices that can: 3.3d: communicate over the internet, either directly or via any other equipment
Commission issued a “standards request” to the European Standards Organizations (ESO), asking them to produce standards to assist in compliance. Further guidance is also expected from the Commission. The standards request sets out the minimum requirements, but the final standards may include further assessment criteria where appropriate, and further guidance could come from the Commission.
What do the essential requirements actually mean?
3.3e: process personal data, traffic data or location data
3.3f: enable users to transfer money, monetary value or virtual currency These provisions will become mandatory on 1st August 2024 and manufacturers of radio connected devices must be compliant by that date or face potential action. The reason behind this is that more and more products are employing radio technology in their applications and many of these devices connect to the Internet which could expose such products to increasing security threats and the potential to be attacked and exploited.
What is the RED?
The RED is one of many directives and regulations which are part of the New Legislative Framework (NLF), for placing radio products on the European market. It ensures a single market for radio equipment by setting essential
requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulations by delegated acts adding additional legislation such as in this case for cybersecurity. Compliance with
www.cieonline.co.uk.
Additional RED essential requirements
The text in the RED is quite brief, as detailed below: RED Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;
RED Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
RED Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud;
To help manufacturers comply with these essential requirements, the European
the RED is achieved by satisfying a number of “essential requirements”. The existing ones for Safety and Health, EMC and Radio are well known as the “original” essential requirements, and we have already seen an additional essential requirement under Article 3.3g for Access to Emergency Services, which became mandatory on 17th March 2022. However, the EU’s Official Journal cites a delegated act for 3.3d,e,f, thereby adding additional essential requirements for cybersecurity. It should be noted that some products are out of scope (for some articles) such as medical devices, aviation, motor vehicles and electronic road toll systems.
Article 3.3(d) – Cybersecurity It covers radio equipment that can communicate directly through the internet and radio equipment which can communicate over the Internet by way of another connected device. In simplistic terms, the radio product must not, nor be able to be compromised therefore causing harm to the network.
Article 3.3(e) – Privacy
This requires radio equipment to incorporate safeguards to ensure that the personal data and privacy is secured. This includes but is not limited to radio equipment that can process personal, traffic and location data.
Article 3.3(f)
It will protect users who wish to use radio products to process financial transaction and protect them from compromise and fraud.
Compliance time
The Delegated Acts were cited in the EU’s Official Journal on 12th January 2022. The legislation is presently in force, and compliance with the essential requirements becomes mandatory from 1st August 2024. This means that manufacturers now only have a year to ensure their internet connected radio devices adhere to the new provisions. This time will go very quickly so manufacturers should start including the new requirements into product technical specifications as early as possible.
www.tuvsud.com/uk Components in Electronics July/August 2023 41
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66
