The Revised EU Radio Equipment Directive
- September 23, 2024
- William Payne
The European Union’s Radio Equipment Directive (RED), first implemented in 2014, has undergone significant revisions to address increasing cybersecurity risks associated with interconnected devices. These updated provisions, set to become mandatory from 1st August 2025, are designed to enhance the cybersecurity of a wide array of internet-connected devices within the EU market.
The original RED (2014/53/EU) focused on establishing safety and electromagnetic compatibility (EMC) requirements for equipment utilising the radio spectrum. But the rapid proliferation of internet-connected devices, fuelled by technologies such as Wi-Fi, Bluetooth, and NFC, have exposed significant cybersecurity vulnerabilities that were not adequately addressed in the original directive. This has prompted the EU to revise the RED to bolster cybersecurity and protect users from emerging threats.
One of the most significant changes introduced by the revised RED is the inclusion of explicit cybersecurity requirements, primarily outlined in the updated Article 3.3. This article, which has been effective from 1st February 2022, focuses on strengthening the security of radio interfaces and mandates several key cybersecurity measures for radio equipment:
- Network Protection: Radio equipment must be designed to avoid any harmful impact on network functionality and prevent the misuse of network resources that could lead to service degradation.
- Data Privacy: Manufacturers are required to incorporate safeguards into their products to ensure the protection of personal data and privacy for both users and subscribers.
- Fraud Prevention: The updated directive mandates that radio equipment must include features specifically designed to prevent fraudulent activities.
- Emergency Services Access: Ensuring reliable access to emergency services is paramount, and the revised RED mandates that radio equipment must incorporate features supporting this requirement.
In addition to the updated Article 3.3, the EU has introduced Delegated Regulation (EU) 2022/30, which further expands the scope of cybersecurity requirements by specifically targeting internet-connected equipment. Although initially planned for enforcement in August 2024, its implementation has been postponed to August 2025. This regulation aims to address cybersecurity concerns across a broad spectrum of internet-connected devices, reinforcing the overall security framework within the EU.
The revised RED, particularly Delegated Regulation (EU) 2022/30, has significant implications for manufacturers and suppliers of internet-connected equipment. The regulation encompasses a wide range of devices, including those designed for childcare, those covered under the EU’s Directive on the Safety of Toys (2009/48/EC), wearable radio equipment, and equipment enabling financial transactions. By extending cybersecurity requirements to these devices, the EU aims to create a more secure digital environment for consumers.
The updated RED explicitly exempts certain types of radio equipment from the expanded requirements outlined in Delegated Regulation (EU) 2022/30. These exemptions include:
- Medical Devices: Equipment falling under the EU’s Medical Device Regulation (EU 2017/745) and In Vitro Diagnostic Medical Device Regulation (EU 2017/746) are exempt from these expanded cybersecurity requirements.
- Civil Aviation Equipment: Internet-connected equipment and devices used in civil aviation applications are also exempt, as they are governed by separate regulations (EU 2018/1139).
- Automotive Systems: Also exempt are internet-connected equipment and devices used in automotive systems and components, which fall under the scope of EU 2019/2144.
A key aspect of the revised RED is the distinction between the effective date of the updated Article 3.3 and the mandatory compliance date for all cybersecurity provisions, including those under Delegated Regulation (EU) 2022/30. While the updated Article 3.3 came into effect on 1st February 2022, the mandatory compliance date for all cybersecurity requirements is 1st August 2025. This grace period allows manufacturers to adjust their production processes and ensure their products meet the new standards. After August 2025, all radio equipment placed on the EU market must comply with these cybersecurity requirements to obtain CE marking, demonstrating conformity with EU safety, health, and environmental protection standards.