Radio Equipment Directive (RED) Delegated Act for Cybersecurity Officially Postponed to 2025: What Does it Mean?

SG  95/23

Originally scheduled for enforcement in August 2024, the Radio Equipment Directive (RED) has been postponed to 2025 due to ongoing preparation of harmonized standards. Consequently, all wireless devices and products sold in the European Union (EU) will be required to comply with the RED delegated act from August 1, 2025.

The European Commission (EC) has taken measures to strengthen the cybersecurity of wireless devices and products available in the EU by adopting a delegated act under the Radio Equipment Directive (RED). Originally scheduled for enforcement in August 2024, this regulation has been postponed to 2025 due to ongoing preparation of harmonized standards. Consequently, all wireless devices and products sold in the EU will be required to comply with the RED delegated act from August 1, 2025.

In anticipation of the release of harmonized standards, manufacturers can start their compliance preparations now with the support of SGS. They can certify their IoT products against globally recognized cybersecurity standards like ETSI EN 303 645 and IEC 62443-4-2. These standards include requirements that align with the cybersecurity provisions outlined in RED, effectively equipping manufacturers for the upcoming regulatory framework. By partnering with a SGS Notified Body manufacturers can undergo the evaluation process and receive the SGS Cybersecurity Mark as a stamp of approval. With the SGS Cybersecurity Mark, manufacturers can showcase their readiness and compliance with RED requirements before these become mandatory, demonstrating market differentiation and enhancing consumer confidence in their product's safety and reliability.

Scope of RED security requirements: who needs to comply?

The RED delegated act introduces new legal requirements for developers of wireless devices and products at risk from cyber-attacks and privacy issues. These requirements apply to the following device categories: 

• Devices capable of communicating via the Internet, including electronic devices such as smartphones, tablets and electronic cameras, as well as telecommunication equipment and IoT devices
• Toys and childcare equipment, including baby monitors
• Wearable devices, such as smartwatches and fitness trackers

In accordance with Article 3(3) of Directive 2014/53/EU (RED), the legislative requirements include essential elements to ensure protection against cybersecurity risks, which are as follows:

• Network protection – Article 3(3) d
• Protection of personal data and privacy – Article 3(3) e
• Protection from monetary fraud – Article 3(3) f

The manufacturers, when performing the conformity assessment procedures before placing their products on the European Union (EU) market, will have the choice between two possibilities:

• Perform a self-assessment in accordance with the harmonized standards, possible after their expected official publication around June 2024
• Rely on a third-party assessment report provided by a security laboratory and a SGS Notified Body to obtain the EU-type certification letter

How can SGS support you?

Leveraging our extensive experience and expertise gained from cybersecurity evaluations of various products and solutions, we have developed a comprehensive, step-by-step approach to guide you through each stage of the assessment and certification process. Our scope encompasses the full range of training, pre-assessment and evaluation services, enabling you to fast-track your time to market.

• Training/workshops – aim at helping manufacturers and developers gain a deeper understanding of the specific security requirements relevant to their products
• Product design review – we can support you in the initial phases of product development with a thorough product design review and vulnerability scan
• Product testing – we can conduct a pre-market assessment using ETSI TS 103 929 mapping to RED, followed by a comprehensive evaluation against the ETSI EN 303 645 standard
• SGS Cybersecurity Mark – upon successfully completing the evaluation assessment, we will issue a cybersecurity mark to demonstrate your product's adherence to the highest security standards
• EU Type Certificate – SGS Notified Body will issue an EU Type Certificate including RED Articles 3(3)(d), (e) and (f)

Our holistic Total Solution Services for electrical & electronic products, delivered through our global network of accredited testing laboratories, ensure manufacturers and retailers have access to expert support at every stage of the product life cycle, from design, production and regulatory compliance to the import and export of goods. Contact us for more information or visit our website. In the end, it’s only trusted because it’s tested.