What are Radio Equipment Directive Cybersecurity Requirements?
The Radio Equipment Directive (RED) is a CE marking directive that regulates the placement of radio equipment on the EU market. CE stands for “conformité européenne” (French for “European conformity”); this marking is mandatory in the 27 EU member states, as well as in Iceland, Norway and Liechtenstein. The RED requires importers and manufacturers to ensure that relevant products are adequately labelled and tested to prove compliance with the RED’s requirements. The RED sets requirements for the health, safety, electromagnetic compatibility, and the use of the radio spectrum for radio equipment placed in the EU market. The RED covers all devices with wireless communication capabilities, including Wi-Fi, LTE, 5G, Bluetooth, and GPS, and includes USB standards for chargers, user data privacy protection, and software compatibility. The RED covers most radio equipment, including the following products1:
- Mobile phones
- Laptops
- Radars
- Broadcasting devices
- Fitness devices
- Smartwatches
- Routers
- Radio transceivers
- Devices with Wi-Fi, Bluetooth, or GPS capabilities
Cybersecurity is a critical aspect of RED, and there are new specific cybersecurity requirements that must be met by manufacturers of radio equipment. The new requirements took effect in February 2022, but do not become mandatory until August 1, 2025. While there are some exceptions for otherwise regulated categories of devices, the delegated act applies to most direct and indirect Internet-connected radio equipment, childcare products, toys, and wearable data collection equipment. Cybersecurity requirements are essential for RED as they address the following2:
Protection against cyberthreats. Radio equipment is vulnerable to cyberthreats such as hacking, malware, and other cyberattacks. The RED cybersecurity requirements help to ensure that radio equipment is designed and manufactured in such a way that it can resist cyberthreats, and can protect the confidentiality, integrity, and availability of data transmitted and received by the equipment.
Compliance with regulations. Compliance with cybersecurity requirements is mandatory for manufacturers of radio equipment before placing their products on the EU market or putting them into service. Failure to comply with these requirements can result in severe penalties and damage to a company’s reputation.
Ensuring interoperability. Cybersecurity requirements for the RED help to ensure that radio equipment is designed and manufactured in such a way that it is interoperable with other devices and systems. This ensures that radio equipment can work seamlessly with other devices and systems, without compromising the security and privacy of users.
Protecting personal data. Radio equipment may transmit and receive personal data, so it is essential to ensure that this data is protected against unauthorized access and theft.
1 Shen, 2023, “Radio Equipment Directive (RED): An Essential Guide”
2 Intertek, 2023, “Radio Equipment Directive – Cybersecurity Requirements”