In July last year, the EU Commission adopted the Delegated Regulation on Cyber-security, Privacy, and Fraud protection that amends the Radio Equipment Directive (RED) as a mandatory requirement for CE-marking.
This was originally planned applicable from 1 August 2024 but has been postponed 12 months i.e. till 1 August 2025, to give manufacturers and others concerned time to fully understand and be prepared for these important new requirements.
To support the essential requirements laid out in Article 3.3 of the RED, the development of the necessary detailed standards were left to the European standards bodies CEN and CENELEC and have since been prepared by their Joint Technical Committee JTC 13 WG8.
After several postponements, the planned series of standards was now finally published on 27 August and denoted EN18031 Common security requirements for radio equipment.
The cybersecurity requirements of RED are divided into 3 main parts, each being addressed by one standard in the EN 18031 series:
|
Theme |
RED article |
Standard part |
|
Protection of Network |
3.3 d) |
EN 18031-1 |
|
Privacy |
3.3 e) |
EN 18031-2 |
|
Monterey fraud |
3.3 f) |
EN 18031-3 |
This means that developers, compliance managers, retailers and others finally will have a European standard specifically addressing the cyber security requirements in the European regulations for radio equipment.
The standard provides a complete set of requirements to be met, along with detailed rationales, guidance, and assessment criteria to ensure correct application to radio equipment devices. Each requirement is evaluated in a two-step process: first, its applicability to the product is determined, and then the implementation's suitability is examined. It also contains comprehensive decision trees that help the evaluator and manufacturer to understand the applicability and pass/fail criteria.
As usual in the EU, for using a standard to demonstrate conformity with the essential requirements in a Directive, it must be harmonized i.e. approved by the European Commission and listed in the European Official Journal (OJ). Manufacturers, certifiers (Notified Bodies) and others have already started using the standards. There is a chance that the Commission’s review will result in some alterations in the harmonized standards, but any such changes are expected to be minor.
Nemko is a RED Notified Body and has already experience with the EN 18031 as well as having long experience with the similar standard most used today, i.e. the ETSI EN 303 645.
For further information or assistance, please contact Geir.Hørthe@nemko.com
(Article is based on the information shared by Geir Hørthe and edited by T.Sollie)