The European Union (EU) Radio Equipment Directive (RED) cybersecurity requirements will become mandatory on August 1, 2024. With cybersecurity now a global issue, how can manufacturers best demonstrate compliance in regulated markets?
The global market for Internet of Things (IoT) devices is growing. From an estimated worth of USD 44.46 billion in 2020, it is predicted the market will be worth USD 153.8 billion by 2028 – an annual growth rate of 16.69%. This trend is driven by the desire to use IoT to simplify, rationalize and optimize workplaces and daily lives. The key area for growth is home automation, closely followed by consumer wearables, consumer electronics, health care and the automotive sector1.
However, our increasing reliance on IoT technology comes with a problem – security. A 2021 study found that a smart home would experience over 12,000 hacking or unknown scanning attacks a week. These originate from all over the world, making it virtually impossible to legislate against them at source. Protection against cyberattack therefore needs to be focused on device capabilities2.
Cybersecurity is now a major concern for consumers, businesses and governments. IoT device manufacturers consequently need to focus on improving and demonstrating their product’s ability to repulse cyberattacks if they are to succeed in growing markets.
As in all industries, there is no single, global approach being taken to cybersecurity and regulatory oversight. This makes the process of compliance difficult for manufacturers looking to operate in multiple IoT markets. While it can be difficult to understand and achieve compliance with the requirements of a single market, the process becomes infinitely more complicated when they need to synthesize standards and regulations enforced by multiple markets, especially when they are not complementary.
Standards might include:
- USA – IoT Cybersecurity Improvement Act 2020, also California Consumer Privacy Act, Children’s Online Privacy Protection Act and California Bills SB 327 and AB 1906
- India – guidelines for IoT security
- Singapore and Finland – cybersecurity labeling
- Japan – Basic Cybersecurity Act and physical cybersecurity framework
- Brazil – General Data Protection Law
To operate in the European Union (EU), manufacturers will need to consider several pieces of legislation, including the General Data Protection Regulation (GDPR), European Chips Act and now the new requirements under RED.
What is RED?
The EU Radio Equipment Directive 2014/53/EU came into force on June 13, 2016. It applies to all radio equipment being offered onto the market in the EU and establishes relevant health and safety standards (Article 3.1a), electromagnetic compatibility (EMC) requirements (Article 3.1b) and enables efficient use of the radio spectrum (Article 3.2).
On January 12, 2022, Delegated Regulation 2022/30/EU was published in the Official Journal of the EU to further strengthen Europe’s cybersecurity requirements (Article 3.3) for radio equipment.
Among the provisions in Article 3.3 are:
- 3.3d – ensure network protection
- 3.3e – ensure safeguards for the protection of personal data and privacy
- 3.3f – ensure protection from fraud
These requirements apply to a wide range of products, including IoT gateways, smart home assistants, connected appliances (washing machines, refrigerators, etc.) home alarm systems, wearable health trackers, children’s toys, baby monitors and smart home entertainment systems.
For consumers and manufacturers, RED Article 3.3 means cybersecurity capabilities are no longer advisable, they are mandatory.
Best practice for compliance
The ability to demonstrate compliance with a relevant standard shows best practice in terms of cybersecurity provision. In the US, for example, this currently means compliance with the requirements in NIST 8259.
However, there are currently no harmonized standards that cover the provisions in RED Articles 3.3d-f. European Standards Organizations (ESOs) have been tasked with creating applicable standards and it is probable that they will be in place 10 months prior to the August 2024 deadline. It can also be surmised from presentations and workshops by the EU and ESOs that a harmonized standard will be based on the existing IoT cybersecurity standard ETSI EN 303 645 and ETSI TS 103 701.
The SGS Cybersecurity Product Certification Mark demonstrates to consumers that manufacturers have adopted best practice in terms of cybersecurity for their devices. It can be applied to a wide range of IoT products, including smart speakers, cameras, printers, home appliances and lights, as well as equipment for medical, automotive and industrial settings.
The assessment process can include:
- Self-declaration – a basic check on declared product features
- Vulnerability scan – entry level vulnerability assessment
- Conformance testing – investigation against defined standards
- Compliance – full evaluation with report for certification
- In-depth testing – going beyond certification
Our experts help manufacturers to navigate the fragmented global regulatory landscape associated with cybersecurity, ensuring devices comply with all relevant legislation in their target markets. Once a product has been proven to conform to necessary standard(s), this information is shared via the SGS Cybersecurity Mark that is placed onto the product or packaging.
The SGS Cybersecurity Product Certification Mark lets manufacturers build trust in their products and empowers competitive advantage in global markets.
Learn more about the SGS Cybersecurity Product Certification Mark.
Enjoyed this article?
Find more news and updates in our Consumer Compact newsletter >
For further information please contact:
Global Cybersecurity Business Development Manager
SGS Connectivity & Products
t: +886 2 2299 3279 Ext.1306
1 Consumer IoT Market Size And Forecast
2 How a smart home could be at risk from hackers
© Copyright – SGS Société Générale de Surveillance SA. This is a publication of SGS, except for 3rd parties’ contents submitted or licensed for use by SGS. SGS neither endorses nor disapproves said 3rd parties contents. This publication is intended to provide technical information and shall not be considered an exhaustive treatment of any subject treated. It is strictly educational and does not replace any legal requirements or applicable regulations. It is not intended to constitute consulting or professional advice. The information contained herein is provided “as is” and SGS does not warrant that it will be error-free or will meet any particular criteria of performance or quality. Do not quote or refer any information herein without SGS’s prior written consent.