The digital age has transformed our world, bringing us smart homes, IoT devices, wearable tech, and more. These conveniences, powered by radio equipment, connect us in unprecedented ways, but they also present new challenges in cybersecurity.
In response, the European Union has been working diligently to ensure the security and safety of these devices, as evidenced by the recent RED Delegated Act and its related first drafts of the future Harmonized Standards. The diligent efforts of the CEN CENELEC JTC 13/WG 8 experts have resulted in a first set of standards, poised to elevate the cybersecurity posture of radio equipments in the European market.
By defining the common security requirements for equipment, manufacturers now have a lucid framework to assess and manage risks. With cybersecurity becoming more paramount than ever, such initiatives are a step in the right direction for a safer digital future.
Here are the top10 things you should know at this stage:
1. Publication and Implementation
The RED Delegated Regulation (2022/30) was published on 12 January 2022. It activates requirements that ensure network functionality, user data privacy, and fraud protection. The application of this regulation will fully commence by 1 August 2025.
2. Affected Equipment
This regulation impacts a broad range of equipment - from internet-connected radio devices, wearable tech, toys, and even equipment facilitating the transfer of money or virtual currency. Interestingly, childcare equipment also falls under its purview.
3. Exemptions Exist
Not all radio equipment is under the ambit of every article in this regulation. For instance, medical devices have certain exemptions, ensuring that the regulatory environment remains adaptive and precise.
4. Core Requirements
The foundation of this regulation is to bolster security and protection. Equipment should, thus, have features like network traffic monitoring and control, ongoing cyber-attack mitigation, robust authentication measures, and user data protection. Plus, both hardware and software should be regularly updated for enhanced security.
5. A Closer Look at the future Standards
Three first drafts of harmonized standards have been introduced, addressing specific requirements:
- prEN 18031-1: Focuses on internet-connected radio equipment, addressing security and network risks.
- prEN 18031-2: Encompasses various radio equipment, including toys and wearables, and addresses security and privacy risks.
- prEN 18031-3: Hones in on internet-connected radio equipment that manages virtual currency, focusing on security and financial risks.
6. Methodology in Focus
These standards employ a unique methodology ensuring relevance. They have mechanisms addressing applicability, sufficiency, and even decision trees for enhanced clarity. Furthermore, aspects like network protocols, support for legacy equipment, and public interfaces have been addressed in these standards.
7. Comprehensive Assessment Process
The assessment involves a three-fold process. There's a conceptual assessment, ensuring that the documentation is appropriate, a functional completeness assessment that checks for exhaustive documentation, and a functional sufficiency assessment that tests the implementation against potential threats.
8. Security-First Approach
With an ever-evolving landscape of cybersecurity threats, these standards are rooted in a security-by-design and defense-in-depth philosophy. The standards are designed with foresight, anticipating shifts in the digital landscape.
9. Terminology Matters
In the context of these regulations, the term "equipment" is emphasized over "product", aligning more closely with the legal nomenclature under the RED.
10. Feedback is Encouraged
As these first drafts of standards cover a wide array of equipment, feedback is actively sought at this stage until we reach full harmonisation. Those looking to contribute insights can do so via national mirror committees of CEN-CENELEC JTC 13 during the ENQuiry phase. Entities like Red Alert Labs can further guide and support your feedback processes.
Finally, the world of radio equipment and IoT is vibrant, innovative, and filled with potential. But like any realm of innovation, it comes with risks. The EU's commitment to addressing these risks head-on, while still nurturing a space for creativity and growth, is laudable. As we continue to integrate technology more deeply into our daily lives, such standards will serve as guiding stars, ensuring a safer and more secure digital landscape for all.
Get in touch with specialized experts to get the adequate training, consulting or evaluation to prove compliance with the RED Directive Delegated Act with most appropriate strategy.
Stay tuned to our blog for more updates on the evolving world of digital security standards and regulations.