The European Union’s Radio Equipment Directive (RED), which delineates essential requirements for all radio equipment marketed in the EU, was revised in 2014 to adapt to technological changes propelled by IoT. The directive was revised to include all receivers, all equipment that transmitted and received data, such as kitchen appliances that could receive data from mobile phones. Despite providing clarity on technical jargon and the role of Notified Bodies, the 2014/53/EU (RED) does not clearly discuss product and software security. Here’s what you need to know about the security of products that fall under the 2014/53/EU (RED).
Your first question might be: does the RED even cover cybersecurity? Cybersecurity is covered by the provisions of Article 3 (3) of the RED. The following are essential requirements for radio equipment pertaining to cybersecurity:
Article 3 (3) (d): misuse of network resources is prohibited.
Article 3 (3) (e): personal data should be protected when radio equipment is used.
Article 3 (3) (e): privacy should be protected when radio equipment is used.
Article 3 (3) (f): user must have protection from fraud when radio equipment is used.
So, network use, personal data, privacy, and fraud are all included under the RED. But what exactly is fraud? According to the directive, fraud relates to the use of the product. In other words, products must be protected in such a way as to prevent unauthorized access to data, which could lead to fraudulent acts. The RED does not protect the product itself from fraud (i.e. counterfeiting the product); it simply protects the user.
Applicability to Non-radio Functions
Another important thing to note is how these requirements apply to radio equipment. For instance: are these requirements applicable to non-radio functions?
In short, no.
Article 3 (3) of the RED does not differentiate between radio and non-radio functions. A supplemental document, however, entitled Supplementary Guidance on LVD/EMCD/RED does discuss the applicability of the RED to non-radio electrical appliances functioning with radio equipment. According to this supplementary guidance, these products are subject to Article 3 (3) of the RED in one of two ways:
If the radio portion of the non-radio equipment is a permanently fixed part of the product when placed on the market, the entire product is subject to Article 3 (3) of the RED.
If the radio portion of the non-radio equipment is not a permanently fixed part of the product, then only the radio portion of the product is subject to Article 3 (3) of the RED.
In both scenarios, the product must meet the above requirements. This is to ensure that users are protected from hackers who could steal personal data stored in any part of the product via radio functions. In addition to this, radio equipment should be designed in such a way that one cannot upload software that could potentially compromise the product’s compliance.
Software So we just mentioned software (briefly). You might now be wondering: does the RED apply to software? The RED is applicable to software, as it is often a component of radio equipment. 2014/53/EU (RED) mentions software in the following:
Article 3 (3) (i): requires the manufacturer to incorporate features in radio equipment that prohibit the user from uploading software that could affect product compliance (as mentioned above).
Article 4: delineates specific requirements regarding the combination of radio equipment and updated software.
Article 10 (8) and Annex VI: requires the manufacturer to include a description of the software.
Annex V: requires the manufacturer to describe software versions that affect radio equipment compliance.
Of course, these requirements are only applicable to software that is included within the product before it is put on the market. So what about after it is put on the market? If software is, for instance, updated then does it have to comply with these requirements? When Member States review the compliance of products, they may review the compliance of software updates, but they are not required to do so. In any case, the RED prohibits the installation of software that could affect product compliance, as mentioned in in Article 3 (3) (i).
It should be noted that, while manufacturers should provide software that ensures compliance during the product’s lifecycle, they are not required to update software if it no longer complies with the RED due to, say, a new hacking tactic that could not have been anticipated. They should be required to, but the RED is only applicable to products when they are placed on the EU market. Incorporated features must be able to address existing and reasonably known future risks. As hackers become even more sophisticated in their techniques, it is important to ensure that products possess few to no vulnerabilities in their security. And as products become more complex, it is vital that engineers ensure compliance to RF and EMC standards. All radio equipment placed on the EU market should be tested to ensure compliance with ETSI’s standards. Rhein Tech Laboratories provides testing to the following ETSI standards:
EN 300 086-2
EN 300 113-2
EN 300 219-2
EN 301 489-5
EN 300 330-2
EN 300 440
EN 301 489-3
EN 300 328-2
EN 301 489-17
EN 300 826
Contact us today for more information. Like the information in this article? You can receive industry updates, answers to popular engineering questions, and more by subscribing to our monthly newsletter. Simply contact firstname.lastname@example.org and ask for a subscription! It’s that easy.