The Digitalist Team
June 18, 2024

Challenges in Implementing the Radio Equipment Directive’s Cybersecurity Requirements

9

min reading time

The Radio Equipment Directive (RED) plays a pivotal role in the single market for radio equipment. It establishes a regulatory framework that promotes seamless trade, ensures product safety, and enhances consumer protection across the European Union. The inclusion of articles 3.3(d), 3.3(e), and 3.3(f) provides requirements for manufacturers on cybersecurity compliance, introducing new dimensions to the already comprehensive directive.

The Radio Equipment Directive 2014/53/EU is a regulatory framework for placing radio equipment in the market. It sets fundamental requirements for safety and health, electromagnetic compatibility, and effective utilization of radio spectrum by these devices. However, adhering to the directive's cybersecurity requirements can pose some challenges. In this article, we explore those challenges and provide guidance on how to overcome them.

The Importance of Harmonization

Harmonized standards are European standards developed by recognized European Standards Organizations such as CEN (European Committee for Standardization), CENELEC (European Committee for Electrotechnical Standardization), and ETSI (European Telecommunications Standards Institute). These provide the technical specifications necessary for products to comply with EU legislation, ensuring uniformity and facilitating seamless trade within the European single market.

Currently there is no harmonized standard to cover the cybersecurity aspects of essential requirements of the Radio Equipment Directive. However the standard ETSI EN 303 645 has been widely accepted by the industry and also used as the state of the art by notified bodies for conformity assessment of consumer IoT devices. EU Commission mandated CEN and CENELEC to prepare harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3 that will cover the new cybersecurity requirements for the Radio Equipment Directive. These measures address various aspects of cybersecurity in the EU to ensure that radio equipment is secure, reliable, and compatible across different EU member states. 

Furthermore, these measures are crucial in facilitating international trade and boosting economic activity. By providing a common framework, harmonized standards enable manufacturers to operate more efficiently, reduce costs associated with meeting multiple regulatory requirements, and enhance product reliability and safety. However, aligning with these regulations presents several challenges. 

The Radio Equipment Directive 2014/53/EU is a regulatory framework for placing radio equipment in the market. Source: Freepik

The Challenges of Compliance to Harmonized Standards of RED

The list of harmonized standards concerning the Radio Equipment Directive (RED) is not fully developed yet, leading to potential technical fragmentation. This lack of fully developed criteria can disrupt system coherence, impacting over 80% of global commodity trade and reducing trade effectiveness.

Moreover, implementing these measures requires sophisticated verification methods, including penetration testing and encryption validation. This demands significant investment in skilled personnel and advanced equipment, posing a considerable challenge for manufacturers. Below, we discover in detail the challenges posed by the cybersecurity essential requirements of RED.

Network Protection – Article 3.3(d)

Among the impacts of RED is enhanced network protection, articulated in Article 3.3(d) of the Radio Equipment Directive. This article requires device manufacturers to include features that protect communication networks. These features must ensure that the devices do not interfere with the functionality of websites or services. This is crucial as the interconnected nature of modern devices means that vulnerabilities in one device can compromise entire networks.

Implementing Article 3.3(d) necessitates a comprehensive approach to cybersecurity, beginning with security by design, which requires manufacturers to integrate robust security features from the initial stages of product development. This strategy is complemented by the necessity for regular updates and patches, ensuring that devices remain protected against emerging threats through continuous software maintenance.

Robust testing procedures are also essential, as devices must undergo extensive testing to identify and mitigate vulnerabilities before being released to the market. This requires significant investment in advanced testing equipment and skilled personnel who can carry out these tests effectively.

The upcoming standard EN 18031-1 addresses the requirements regarding the protection of network.

Personal Data and Privacy Protection - Article 3.3(e)

Article 3.3(e) improves personal data and privacy protections. It mandates device manufacturers implement safeguards to prevent unauthorized access to or transmission of consumers' personal information. This is particularly important in an era where data breaches and privacy violations are prevalent.

Key requirements include ensuring personal data is encrypted in transit and at rest, implementing strong access control mechanisms to restrict unauthorized access, and ensuring users are informed and consent before their data is collected or processed. These measures are crucial in an era where data breaches and privacy violations are common, but they also pose significant challenges for manufacturers.

Implementing these safeguards requires advanced technical solutions, such as encryption technologies and secure authentication methods. Manufacturers must conduct regular security audits to ensure compliance and identify potential vulnerabilities. This involves continuous monitoring and updating of security protocols, which can be both costly and resource-intensive.

Part 2 of the future standard series EN 18031 deals with the protection of personal data and privacy.

Fraud Prevention - Article 3.3(f)

Article 3.3(f) aims to lower the risk of fraud by requiring features such as improved user authentication controls, in order to reduce fraudulent electronic payments and monetary transfers. This includes the use of strong authentication methods, like multi-factor authentication, to verify the identity of users.

Implementation challenges include developing robust yet user-friendly authentication mechanisms, ensuring compatibility with existing financial systems, and keeping up with evolving fraud tactics and regulatory changes. Manufacturers must balance the need for strong security measures with the demand for a seamless user experience, which can be difficult to achieve.

Moreover, staying ahead of evolving fraud tactics requires continuous innovation and updates to security measures. This necessitates ongoing investment in research and development, as well as collaboration with financial institutions and regulatory bodies to ensure compliance with the latest standards and practices.

The planned harmonized standard EN 18031-3 specifies provisions for protection from fraud.

Compliance and Market Access

Compliance with the above, not yet published harmonized standards grants products the presumption of conformity with the essential requirements of relevant legislation (i.e. RED), allowing manufacturers to access the EU market. Adhering to these standards demonstrates that manufacturers have followed the essential requirements of the directive, simplifying the regulatory approval process.

Obtaining compliance certification can be complex and time-consuming, requiring extensive documentation and testing. Manufacturers must ensure that their products meet all relevant standards and regulations, which can involve significant administrative and logistical challenges. Additionally, the need to update products and processes to comply with new standards can result in additional costs and delays.

The Radio Equipment Directive involves advanced testing protocols. Source: Freepik

The Need for Improved Market Surveillance

To achieve effective market surveillance, distributors and importers must cooperate closely with manufacturers or their authorized representatives. This collaboration is crucial for maintaining an appropriate level of traceability for devices. A comprehensive traceability system is vital as it ensures efficient recall management. In case of any defects or issues, manufacturers can react swiftly if they have a detailed record of the supply, production, and distribution history of the affected products.

The RED has introduced enhanced market surveillance instruments to improve compliance. One such measure is the potential requirement for preregistration of radio equipment in categories with historically low compliance levels. This preregistration helps authorities to conduct preliminary checks before these products enter the market, ensuring they meet the necessary standards.

Ensuring compliance with RED articles 3.3(d), 3.3(e), and 3.3(f) demands sophisticated testing and verification processes. These articles cover network protection, personal data and privacy protection, and fraud prevention, respectively. Radio equipment's technical complexity and diversity pose significant challenges for market surveillance authorities. 

Advanced testing protocols, including penetration testing and encryption validation, are required to ensure that devices meet the stringent security and safety standards set by the directive. This necessitates significant investment in skilled personnel and advanced equipment.

Compliance Challenges with Articles 3.3(d), 3.3(e), and 3.3(f)

Ensuring compliance with the essential cybersecurity requirements in RED articles 3.3(d), 3.3(e), and 3.3(f) presents significant challenges due to the technical complexity and diversity of radio equipment.

The Radio Equipment Directive involves advanced testing protocols that require sophisticated verification methods, including penetration testing and encryption validation. It also demands significant investment in skilled personnel and advanced equipment to ensure thorough evaluations.

The diverse equipment landscape poses a challenge due to the wide variety of devices, which complicates the application of uniform surveillance methods. Additionally, rapid technological advancements necessitate continuous updates to testing methodologies and regulatory frameworks.

Lastly, international cooperation is crucial for effective market surveillance. It involves sharing best practices to enhance overall surveillance efficacy and conducting joint actions for collaborative investigations. This cooperation addresses cross-border non-compliance and improves market integrity.

If you would like to know more about the Radio Equipment Directive, you can find everything you should know about RED in our previous article.

Challenges for Manufacturers in Conformity Assessment According to The Radio Equipment Directive

Manufacturers face challenges in compliance with the Radio Equipment Directive, especially regarding the new cybersecurity requirements outlined in articles 3.3(d), 3.3(e), and 3.3(f). These challenges encompass interoperability issues, and the necessity for precise technical and regulatory alignment.

  1. Need for Harmonized Standards

At the time of writing this article, harmonized standards such as EN 18031-1, EN 18031-2, and EN 18031-3 are still not published yet. These standards will cover the new cybersecurity requirements for the Radio Equipment Directive, which will provide provisions for Manufacturers on the details of their responsibilities and actions to be taken for compliance. 

Once these standards are published many open questions will be answered, and radio equipment Manufacturers can start taking all the necessary measures of conformity assessment for EU market access. However, as the deadline for the new cybersecurity essential requirements according to RED Delegated Act is getting close (1st August, 2025), it is highly recommended for the concerned manufacturers to initiate the time-consuming process of evaluation. An experienced cybersecurity consultant and/or testing laboratory could provide great value during this preparatory phase.

According to article 17 of the Radio Equipment Directive if harmonized standards for certain aspects of essential requirements do not exist, a Notified Body has to be involved in the conformity assessment of the product. Currently, this is the case of internet-connected radio equipment due to the lack of harmonized cybersecurity standards for cybersecurity.

  1. Lack of Interoperability

One of the primary challenges is the lack of interoperability at the device end, leading to several problems. Consumers often find it difficult to integrate devices from different manufacturers, resulting in a fragmented user experience, dissatisfaction and eroded trust in radio equipment products. 

Non-interoperable devices can lead to consumer lock-in, where consumers become dependent on a single manufacturer for all compatible products, reducing market competition and innovation. This issue also contributes to increased e-waste, as non-interoperable devices are more likely to be discarded when they become incompatible with new technology. 

Moreover, the lack of interoperability can drive consumers to purchase additional adapters or entirely new systems, increasing their overall expenses and potentially leading to a rise in counterfeit products as consumers seek cheaper alternatives.

  1. Technical and Regulatory Alignment

The rapid pace of technological advancements presents a significant challenge in aligning technical specifications with regulatory requirements. Implementing the cybersecurity essential requirements of RED articles 3.3(d), 3.3(e), and 3.3(f) involves several key aspects

For network integrity, outlined in the Radio Equipment Directive’s 3.3(d), manufacturers must incorporate robust security features to protect communication networks and prevent devices from interfering with the functionality of websites or services, requiring ongoing updates to counter emerging threats. Regarding personal data protection (3.3(e)), manufacturers must implement safeguards against unauthorized access and transmission of personal information, which often involves complex encryption technologies and regular security audits. 

Each EU member state may have unique regulations, which makes careful compliance management necessary to align with the Radio Equipment Directive. Source: Envato

For fraud prevention (3.3(f)), devices must include enhanced user authentication controls to reduce fraudulent electronic payments and monetary transfers, necessitating continuous updates and integration of the latest fraud prevention technologies.

  1. Staying Updated with Regulatory Changes

Manufacturers must stay updated with the latest regulatory changes and guidelines to align with the cybersecurity requirements of the Radio Equipment Directive. This involves investing in compliance processes, developing internal systems to ensure ongoing compliance with evolving standards, hiring compliance experts, conducting regular training sessions, and investing in compliance management software. 

Active engagement with regulatory bodies helps manufacturers stay informed about upcoming changes and provides opportunities to influence policy development. Participation in industry forums and working groups can also facilitate knowledge sharing and collaboration.

Summary

Implementing the Radio Equipment Directive presents significant challenges for manufacturers, including the need for harmonized measures, improved market surveillance, regulatory compliance, and device interoperability. The directive aims to enhance cybersecurity and promote a unified market approach, fostering innovation and consumer trust.

CCLab helps manufacturers adhere to current cybersecurity standards, laying the groundwork for future harmonized standards under the Radio Equipment Directive Delegated Act. Until the upcoming harmonized standards (EN 18031 series) are published, existing cybersecurity standards could be used for compliance purposes depending on the nature of the device to be certified. These include the IoT cybersecurity standard ETSI EN 303 645 and the ISA / EN IEC 62443-4-2 standard for Industrial Control System Cybersecurity. Complying with these criteria with the compulsory involvement of a Notified Body can demonstrate conformity with the Radio Equipment Directive's requirements.

Related downloadables

Related news