top of page

The Ultimate Guide to RED’s Newest Cybersecurity Requirements


by Isabella Donders & Arianna Gringiani





The connected world revolutionises the way we live and interact; it also brings security risks. A weakness in IoT devices could lead to much bigger threats through exploitation of the network they are connected to. 


The European standardisation organisations, such as CEN/CENELEC, ENISA, and the European commission, have been working for many years toward standardisation and harmonisation of the European cyber space. 


The Radio Equipment Directive (RED) was one of the first steps taken to enforce device manufacturers to implement cybersecurity measures. The newest prEN 18031 draft series finally seems to make the requirements more tangible and pave a clearer path toward compliance.


In this post you'll read everything you need to know about RED and the newest prEN 18031 standards.


What is RED?


The RED was published in 2014 by the European Commission. The directive (‘Directive 2014/53/EU’) contains nine essential requirements, and is intended as a regulatory framework.


All radio equipment that are placed on the EU market must comply with RED as per June 2016.


What is considered radio equipment?


RED defines ‘radio equipment’ in Article 2.1(1) as: 


‘electrical or electronic product, which intentionally emits and/or receives radio waves for the purpose of radio communication and/or radio determination, or an electrical or electronic product which must be completed with an accessory, such as an antenna, to intentionally emit and/or receive radio waves for the purpose of radio communication and/or radio determination.’


The directive targets electrical or electronic products that are capable of communicating over the internet, regardless whether this communication is direct or through other equipment.


Radio equipment that fits this definition, but is already covered by other regulations, are excluded. All exceptions can be found in Article 1.3 and Annex I of Directive 2014/53/EU as well as in Delegated Regulation 2022/30/EU.


Cybersecurity requirements


In January 2022, the European commission published  the Delegated Regulation 2022/30/EU, which activated three essential requirements related to cybersecurity:


  • 3.3d “radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service”

  • 3.3e “radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”

  • 3.3f “radio equipment supports certain features ensuring protection from fraud”


Those requirements will be enforced from August 2025 onward. 


Cybersecurity put into practice: prEN 18031 standards 

With the activation of the above three requirements, a first step was made toward enforcing cybersecurity requirements for radio equipment within the European market. It shows the importance of a regulated ecosystem for connected devices, especially consumer IoT devices, in order to keep individuals and organisations safe.


However, it raises the important question: how to understand if compliance to those requirements is met? The requirements do not yet give a stable framework on how to assess risk and understand one’s security posture. The three newest standards from the prEN 18031 series answer this question. 


Created by CEN CENELEC JTC 13/Working Group 8, and released as draft versions in August 2023, they provide precise requirements, rationales, guidance and pass/fail decisions on how to cover the three Essential Requirements 3.3d, 3.3e and 3.3f. 


The draft documents are available for download, and currently open to review and comments.



Content and structure

The documents offer a highly structured guide for users in implementing security requirements. Each requirement undergoes a two-step evaluation process, first assessing its applicability to the product, followed by an examination of implementation appropriateness. These decisions are guided through the use of decision trees, which are also used in the assessment phase.


However, it’s important to note that these documents are still in draft form, and as such, their structure may undergo changes before their official publication.


The requirements cover numerous cybersecurity best practices, spanning security update mechanisms to vulnerability monitoring.

Regarding the latter, prEN18031 mandates that software and hardware must not contain publicly known exploitable vulnerabilities that could be applicable to the device. This implies that the manufacturer should consistently monitor the device's third-party components for vulnerabilities and address them accordingly.



Relation between RED and prEN 18031 standards

RED’s three Essential Requirements are mapped to the prEN 18031 standards as follows: 


  • RED’s essential requirement 3.3d is covered by: The first standard: prEN18031-1, which is most generic and specifies common security requirements for radio equipment, addressing security and network risks. (Clauses 5.1 - 5.11)


  • RED’s essential requirement 3.3e is covered by: The second standard: prEN18031-2, which applies to radio equipment processing personal data, traffic data or location data. It includes internet connected radio equipment, childcare radio equipment, toys and wearables, and addresses security and privacy risks. (Clauses 5.1 - 5.11)


  • RED’s essential requirement 3.3f is covered by: The third standard: prEN18031-3, which only applies to radio equipment processing virtual money or monetary value. This means the holder or user can transfer money, monetary value or virtual currency. This document addresses security and financial risks. (Clauses 5.1 - 5.9)


Mapping between RED and prEN 18031 standards
Mapping between RED and prEN 18031 standards

To understand the exact relation between the newest prEN 18031 standards and RED, let’s become very precise:  


‘Compliance with the normative clauses in the prEN 18031 standards confers a presumption of the conformity with the Essential Requirements from RED (e.g. Directive EU 2014/53/EU).’


In more simple terms, it suggests that once the device manufacturer complies to the requirements in the prEN 18031 standard, they show conformity to the cybersecurity requirements from RED. 


Which prEN 18031 standard applies to my product?

Depending on the product type, its intended use and functionalities, one or multiple prEN 18031 standards apply. The reasoning which standards must be taken into consideration should be made through a risk assessment.



Overlap and difference between three prEN standards

The three standards exhibit significant overlap, with the majority of requirements present in all three documents. Distinctions arise in specific areas: the first standard incorporates security measures for network traffic, whereas the second and third standards necessitate the availability of logging measures. Additionally, the second standard includes user-centric provisions, such as parental controls for children's access to toys.



Processes vs. product

The prEN standards mainly focus on practical security requirements for the technical capabilities of equipment, known as product requirements. However, to handle security effectively, it's essential to follow a security by design process, which considers security aspects and procedures throughout the whole lifecycle of the development. These are called process requirements

The prEN serie provides a short list of standards that help to meet these measures, including IEC 62443-4-1, which offer a structured approach for a product's secure development lifecycle.




Prepare for EU cybersecurity compliance

Cybersecurity has always been high on the agenda of the European legislators. With the introduction of the cybersecurity requirements from RED, and the publication of the three newest draft prEN 18031 standards, a big step has been made toward cybersecurity harmonisation in the EU. However, in order to reach a unified consensus on how cybersecurity in an entire supply chain can be achieved sustainably, much work is still to be done.



References



________________________________________________________________________


Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.


Comments


Commenting has been turned off.
bottom of page