Radio Equipment Directive (RED) Compliance
Companies who chose us
Radio Equipment Directive Overview
The Radio Equipment Directive 2014/53/EU (RED) establishes a legal framework for radio equipment by laying down essential requirements for electromagnetic compatibility, health and safety, the effective use of radio spectrum, and the support of efficient use of radio spectrum. Article 3(3) of the Directive specifies further essential requirements as well, where the most challenging could be the cybersecurity-related items (d), (e), and (f). The Delegated Regulation (EU) 2022/30 clarifies that these requirements shall be applied to any radio equipment that can communicate itself over the Internet. These are the so-called internet-connected radio equipment, where compliance with the cybersecurity aspects of the essential requirements is crucial. The deadline to comply with the new cybersecurity requirements of RED is just around the corner.
Essential Requirements of the RED Directive
3(3)(d), to ensure network protection;
3(3)(e), to ensure safeguards for the protection of personal data and privacy;
3(3)(f), to ensure protection from fraud.
The new requirement will become mandatory on August 1, 2025 according to the latest decision of the European Commision. This gives manufacturers a 42-month transition period.
Red Directive's Impact on IoT Security
There were an estimated 703 million mobile cellular subscriptions in Europe in 2021.
This represents a penetration rate of 121% of the population
Approximately 9.6 billion Wi-Fi devices were used globally by the end of 2021
This number is higher than the present population of the Earth.
Understanding Radio Equipment Directive 2014/53/EU (RED)?
With the emergence of Wi-Fi, Bluetooth, and NFC, more products becoming internet-connected devices and behaving like radio equipment that are used in several fields of our life. Radio equipment covers a range of products, including devices that intentionally emit and/or receive radio waves for communication, such as mobile phones, smart devices, and Wi-Fi routers, as well as devices that use radio frequencies for remote control functions, such as garage door openers and remote-controlled toys.These products fall under the scope of the RED and must undergo a conformity assessment procedure to ensure that they meet the essential requirements of the directive before they can be placed on the European market. The RED provides several options for manufacturers to demonstrate their products meet EU requirements:
1. Internal Production Control (Module A): this method allows manufacturers to assess their products internally, provided that they have the necessary competence and capabilities to evaluate equipment and its documentation.If the manufacturer does not have the competency for conformity assessment, has not applied the harmonized standards, or if there are no harmonized standards for the given essential requirements, then the manufacturer shall select one of the following options:
2. EU-Type Examination (Module B) + Conformity to Type (Module C): First stage (module B): this approach requires an independent assessment by a Notified Body. The Notified Body examines the technical design of the radio equipment and verifies that it meets the essential requirements. This means the manufacturer must create detailed technical documentation demonstrating compliance with the product design and production capabilities. Although the Notified Body examines only the relevant documents, this documentation must include test reports covering the various aspects of the RED essential requirements. If the manufacturer lacks the competence to perform the necessary tests, a competent testing laboratory can be engaged. After a positive result from the EU-Type Examination, the Notified Body issues the certificate.
The Second stage (module C):
Next, the manufacturer must ensure ongoing compliance through internal production controls.
3. Full Quality Assurance (Module H):
For this option, the manufacturer implements a comprehensive quality management system, which is then assessed and approved by a Notified Body. This ensures that the production processes consistently produce compliant products, providing the highest level of assurance.
Ultimately, the manufacturer is responsible for the compliance of its product, regardless of whether a Notified Body was involved in the conformity assessment procedure or not.
After the successful conformity assessments, the manufacturer must complete the technical documentation (including the certificate issued by the Notified Body, if necessary) and draw up the Declaration of Conformity. Only after these steps can the CE Marking be affixed to the product, allowing it to be placed on the EU market.
To better understand the above conformity assessment options, it's important to know about the relevance of the harmonized status of a European standard. A European standard, issued by CEN, CENELEC, or ETSI, becomes harmonized when it is listed in the Official Journal of the European Union under the given directive or regulation. A harmonized standard is prepared to address appropriate provisions for the essential requirements. That is why if a product complies with all applicable harmonized standards, it is presumed to comply with the essential requirements set out in the directive.The harmonized standards under RED can be checked on the EU website.
The Delegated Regulation (EU) 2022/30 was adopted by the European Commission (EC) in October 2021 and will enter into force in August 2025. This act specifies that internet-connected radio equipment shall comply with the cybersecurity-related essential requirements as well.
Currently, there is no harmonized standard to cover the cybersecurity aspects of essential requirements of the Radio Equipment Directive. However, the standard ETSI EN 303 645 has been widely accepted by the industry and is also used as the state of the art by notified bodies for conformity assessment of consumer IoT devices. EU Commission mandated CEN and CENELEC to prepare harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3 that will cover the new cybersecurity requirements for the Radio Equipment Directive. These measures address various aspects of cybersecurity in the EU to ensure that radio equipment is secure, reliable, and compatible across different EU member states. If there is no harmonized standard for the cybersecurity aspects of RED essential requirements, the manufacturer shall apply for Notified Body certification.
The planned standard series EN 18031 will apply to internet-connected radio equipment. When the standard is selected for the designing of a product and the conformity assessment, it’s important to carefully verify the scope of the standards to check their applicability. Depending on the intended use, and the purpose of the product, different standards may be applicable for consumer IoT devices and industrial control systems and components. In the latter case the standard series IEC 62443 should be used.
This delegated act was adopted by the European Commission (EC) in October 2021 and will enter into force in August 2025.
The EC plans to create new harmonized standards based on the requirements of the new delegated act.
Based on workshops and presentations from the ESOs and commission, the harmonized standards will likely be based on existing IoT cybersecurity standards EN 303 645 and IEC 62443-4-2.
Are you prepared for the upcoming RED cybersecurity requirements?
Get professional support and get prepared before the upcoming deadline!
CCLab is ready to help you comply with the existing cybersecurity standards for consumer IoT devices (ETSI EN 303 645) and for IIoT Industrial Control System components (ISA/IEC 62443-4-2). Compliance with these relevant standards can help demonstrate conformity with the relevant requirements of the RED.
As both consumer IoT devices and certain types of ICS equipment may fall under the scope of the RED, adherence to relevant cybersecurity standards and practices is essential for compliance. Adhering to these standards can enhance the security, privacy, and reliability of radio equipment and consumer IoT devices, aligning with the objectives of the RED. We provide consultation and testing services for both Consumer IoT devices and for Industrial IoT components that comply with the RED directive.CCLab’s cybersecurity testing laboratory has been qualified by the RED Notified Body CerTrust (ID: 2806). Thus, cybersecurity evaluations can be accepted by CerTrust for Notified Body certification.
The definitive guide to crafting Compliant IoT Devices and high-quality developer documentation for ETSI EN 303 645 Certification
Facing challenges?
Are you finding it difficult to navigate the complexities of ETSI EN 303 645 for securing your IoT devices?
Wondering if your existing product documentation meets the stringent standards set out by this cybersecurity benchmark?
Do you feel that meeting ETSI's security requirements is an intricate and overwhelming task?
Whether you're gearing up for your first dive into the Internet of Things (IoT) security certification, or you're looking to refine your approach to compliance with ETSI EN 303 645 without unnecessary expenditure of time and resources,
This course is your key to unlocking simplicity in compliance.
Why is the RED directive important?
1.
Regulatory Framework
2.
Conformity Assessments
3.
Harmonization
Prepare Your Product for RED Compliance
Get your product ready for RED compliance by understanding the ETSI EN 303 645 or ISA/IEC 62443-4-2 standards and conditions. Contact us for guidance.
Would you utilize your products' conformity outside the EU as well?
The standards of consumer IoT devices (ETSI EN 303 645) and industrial control systems and components (IEC 62443-4-2) are recognized in several countries in the world. If your target markets are not the EU, then you can use efficient certifications to cover several markets based on one test. This is the IECEE CB Scheme which is the largest international certification scheme for electrical and electronic products and components (including IoT products). Its goal is to facilitate the international trade of manufacturers in more than 50 member countries.
CCLab is a recognized CB Testing Laboratory under the National Certification Body of QIMA Certification (Germany) GmbH. We offer our CB testing and certification for IoT and IIoT devices.
You can read more about CB certification on our website:
Cybersecurity for Consumer IoT Devices and ICS Components in RED
Consumer IoT and industrial control system (ICS) cybersecurity are related to the RED (Radio Equipment Directive) in addressing security requirements for radio equipment placed on the EU market. While the RED primarily focuses on ensuring safety, electromagnetic compatibility, and efficient use of the radio spectrum, it also emphasizes the importance of security considerations for all types of radio equipment. Both consumer IoT devices and ICS components may fall under the scope of the RED, and adherence to relevant cybersecurity standards and practices is essential for compliance.
Consumer IoT devices cybersecurity - ETSI EN 303 645
ETSI EN 303 645 is the first globally applicable Cybersecurity Standard for Consumer IoT Devices.It contains a set of 13 security categories and some provisions specifically focused on Data Protection. The ETSI EN 303 645 standard aims to prepare IoT devices to be protected against the most common cybersecurity threats and to prevent large-scale attacks against connected devices. It provides a basis for future IoT certification schemes.
The Radio Equipment Directive (RED) covers a broad range of radio equipment intended for consumer use e.g. smart home devices, wearable devices, home automation devices, and connected healthcare devices.
Consumer IoT manufacturers seeking RED compliance for IoT devices can benefit from following the cybersecurity guidelines provided by ETSI EN 303 645. These guidelines address aspects such as secure development practices, vulnerability management, secure communication, and user privacy.
CCLab provides consultation, and testing services, and states conformity (SoC) after the successful evaluation of Consumer IoT devices based on ETSI EN 303 645. For the EU market, we can offer you the EU-Type Examination Certificate issued by our partner Notified Body. In the case of international markets, we can provide you CB Certification for consumer IoT devices. Do you need support to evaluate your consumer IoT device?
Industrial Control System cybersecurity - ISA/IEC 62443
ISA/IEC 62443 is a globally recognized set of cybersecurity standards designed to safeguard industrial automation and control systems (IACS). These standards provide a comprehensive framework for establishing secure and resilient IACS environments, helping to protect critical infrastructure such as power plants, manufacturing facilities, oil and gas installations, and transportation systems.
The ISA/IEC 62443 series consists of several parts, each focusing on different aspects of industrial cybersecurity. IEC 62443-4-2 outlines the processes and practices that should be followed while developing and implementing IACS components to mitigate cybersecurity risks. It specifies the technical security requirements that manufacturers and developers should consider to ensure the secure design, coding, and testing of their products.
Certain types of ICS equipment that include radio functions or wireless communication capabilities may be subject to RED, e.g. wireless sensors, remote controllers, and wireless communication modules. These radio equipment manufacturers can benefit from following the principles and best practices outlined in ISA/IEC 62443. Adhering to these standards can help in developing secure radio equipment that aligns with the objectives of the RED, particularly about the security and privacy aspects.
Also in the case of industrial control systems, you can benefit from the CB Certificate that can be utilized for RED compliance and to access markets outside the EU.
CCLab is ready to help you to conform and comply with the desired standards and security levels.
How can CCLab help
One-stop-shop solution including cybersecurity testing, single FPOC
Semi-automated solutions, followed by automation (in 2025)
Agile project management to maximize efficiency
Global outreach, no language barriers
Quick turnaround time
Participating in industrial working groups
Check Our FAQ for More Information
Do you have questions about Radio Equipment Cybersecurity and RED compliance? Explore our FAQ for answers.
Contact Us for Radio Equipment Security Support
Need assistance with your Radio Equipment Security project? Reach out to us for expert guidance.
Testimonials
Kenneth Lasoski
Versa Networks
Evaluation team was extremely reasonable and flexible with resolution to findings and was helpful in finding agreeable solutions for CB comments. Consultation team was always responsive and helped shape the documentation for easier evaluation, and provided useful recommendations on satisfying SFR/SARs.
Thierry Bonda
Landis+Gyr
CCLab was well prepared, flexible during the whole evaluation process, and supported us with continuous communication and guidance. Many lessons were learnt during the project and CCLab has always been looking for solutions, supporting our developers the best way they could. The new Swiss evaluation methodology was a good and professional basis to work with, but both parties had to learn how to deal with it.
Jake Nelson
Corsec Security Inc.
The relationship between Corsec and CCLab has been instrumental in helping product vendors successfully complete the Common Criteria certification process. As a Common Criteria consultant to the product vendor, Corsec relies on CCLab’s responsiveness and expertise to quickly and thoroughly complete the testing component of the process. CCLab has been essential in managing multiple projects, their professionalism has helped ensure product vendor satisfaction and ultimate project success.
Alexander Testov
AO Kaspersky Lab.
"I would definitely recommend CCLab to anyone in need of Common Criteria certification. Our cooperation was comfortable, well organized and efficient. I am totally satisfied with the result."
Dayton Marcucci
HID Global
The CCLab team gave us full support to adapt to the changes during product development. Whatever the challenges faced they could keep the due dates and we were able to complete the process quickly and efficiently. The real agile lab helped our success. We are going to work with them again. I highly recommend them to anyone wanting to get its product certified.
Jaime Chica
NXP Semiconductors
It was a well-managed project which achieved success in an effortless manner.
Kalev Pihl
SK ID Solutions
We needed a lab that works quickly but with high work morale and quality of work. CCLab is exactly like that! It was good cooperation experience to work with them. The project was rather complex and our expectations maybe even too high, but the team was committed to the common goals and could keep the milestones; therefore we were able to deliver what was needed. I highly recommend CCLab team to anyone for their great team spirit, quality orientations, agility and reasonable pricing.
Israr Ahmed
Ascertia Ltd.
On behalf of Ascertia, accept my appreciation for the excellent job done by CCLab team over the past several months in achieving the Common Criteria Certificate for ADSS Server SAM solution. It was an enormous undertaking but went smoothly and efficiently! Thanks to your leadership and dedication combined with your staff's teamwork and energy, we achieved our target. You and your employees should take great pride in this accomplishment. We look forward to extend our work with you for our next certification milestone and hope will continue to get such excellent service.
Zsolt Rózsahegyi
I4P Informatics Ltd.
Thanks to the agile processes we've been able to add new features to the product during the evaluation that made it even more valuable to customers. CCLAB efficiently supported us throughout the whole change management process. The predictability, accurate scheduling, and supportive mindset helped us to finish the project in time.