RED Cybersecurity: Inside and Outside the Scope

Cybersecurity is mandatory for most wireless products from August next year, and at Nemko we often get questions of how to interpret the scope. It is really just one question which is the tricky one, but for good measures let’s do a quick recap of the scope.

Out of scope

Stating the obvious, all products not having a radio transmitter (BLE, Wi-Fi etc) are out of scope, and so are also Medical, In Vitro, Smart Meters and Road Toll systems.

In scope

Wearables and products for children and child-care are in scope, irrespective of connection to internet.  Products that are directly or indirectly connected to internet are in scope. 
This raises the question, what does it mean that a product is directly or indirectly connected to internet?  To make it easier to understand, we have made a small network.

The above network can illustrate a modern home. In this home, most units are easy to define for internet connection:

• Not connected to internet (out of scope): Temperature sensor and display, not having other connections besides the direct contact between the two units.
• Directly connected to the internet (in scope): Mobile phone and internet router (gateway), both connected directly to internet
• Indirectly connected to internet (in scope): Router, WiFi tablet and IoTs which can be controlled over internet.  For example, mobile phone A can see live video from IP cameras A and B over internet. It can also unlock the WiFi lock and the tablet can surf the internet.

The product in the gray area!

Now, there is one product left – the Bluetooth (BT) speaker (it can also be similar products)

The BT speaker connects to Mobile phone B (being directly connected to internet) and the WiFi Tablet (being indirectly connected to internet). So, the BT speaker is connected to a product with internet access, but does the BT speaker connect to the internet?

Normally, a mobile phone will connect to a BT speaker using Bluetooth and use the BT speaker as an external speaker, playing music which is either stored on the phone or streamed from the internet. In neither case the BT speaker is making a request to internet, nor is it possible to connect to the BT speaker over the internet.

In this case Nemko consider the BT speaker not to be connected to the internet. This is the case both for the EU RED and the UK cybersecurity Act, mandatory from 29 April 2024 (which also defines “connected to internet” in some more detail). 

Similar products out of scope but use with care!

The same would be the case for other products that relies entirely on e.g., a mobile phone or a PC for communication and which has no capability to initiate connection to internet, communicate over internet or to be reached over the internet. Examples can be BT speakers, wireless accessories like keyboard and mouse, other simple BT, or ZigBee products.

BUT again, this is to be used with care, and of several reasons! 

• If a product e.g., downloads updates independently, it will be in scope.
• Not being connected to the internet does not mean that the product is secure, just that it is out of the current scope of RED (and UK cybersecurity regulation, PSTI)
• With Cyber Resilience Act coming in 2027, this definition will be removed, and the scope broadened. 

Due to the uncertainties, it is highly recommended to confer a RED Notified Body before making the assumption that a product is out of scope.


Not 100% sure if your products are in or out of scope? 
Simply book a free online meeting with one of our cybersecurity evaluators.