CE Certification Directive for Radio Equipment: RED Network Security

In January 2022, the Official Journal of the European Union published Regulation 2022/30/EU, requiring compliance with the Radio Equipment Directive (RED) Articles 3.3(d), (e), and (f). This regulation will be mandatory starting August 1, 2025, providing a transition period for manufacturers to comply with the relevant requirements and obtain CE-RED certification.

The regulation mandates that applicable radio equipment in the EU market ensure network security, personal data privacy, and fraud protection, aiming to enhance the network security of such devices and boost consumer confidence. Non-compliance may result in product recalls, fines, market bans, and reputational damage. With less than a year until the enforcement date, JJR Laboratory in China advises manufacturers to begin preparations to ensure compliance by the deadline.

What is RED Article 3.3 Certification?

According to the EU's Radio Equipment Directive (RED), particularly Article 3.3, basic requirements are set for network security to improve the cybersecurity of wireless products, personal data protection, privacy, and the security of financial transactions.

- Regulatory Requirements:

- RED Article 3.3(d): Must not compromise the network or its functions, nor misuse network resources to cause unacceptable service degradation.

- RED Article 3.3(e): Must include safeguards to ensure protection of users' and subscribers' personal data and privacy.

- RED Article 3.3(f): Must support certain features to prevent fraud.

- Device Coverage:

- Devices that can communicate over the Internet on their own and devices connected to the Internet.

- Must process personal data, communication traffic data, and location data via the Internet.

- Devices that can communicate over the Internet via connected devices and enable holders or users to transfer money, currency, or virtual currency.

- Exclusions:

- RED Articles 3.3(d), (e), and (f) do not apply to medical devices and in-vitro diagnostic medical devices.

- RED Articles 3.3(e) and (f) do not apply to type-approved vehicles and vehicle systems, civil aviation equipment, and cross-border electronic toll systems.

If applicable products do not meet requirements, manufacturers may face consequences including but not limited to:

- Product Recall: Products found non-compliant with cybersecurity requirements may need to be recalled from the market.

- Fines: Manufacturers may incur substantial fines depending on the severity and scope of the non-compliance.

- Market Ban: In severe cases, non-compliant products may be prohibited from sale in the EU market.

- Reputational Damage: Brand reputation may suffer due to violations of cybersecurity regulations, affecting consumer trust and sales.

How to Ensure Radio Equipment Meets RED Article 3.3 Requirements

To ensure radio equipment complies with RED Article 3.3, the following steps should be taken:

1. Understand the Requirements of Article 3.3: These include cybersecurity, personal data protection, user privacy protection, and fraud prevention measures. Specifically, Article 3.3(d) prohibits compromising network functionality and misusing resources; Article 3.3(e) requires measures to protect personal data and privacy; Article 3.3(f) mandates support for fraud prevention features.

2. Learn en 18031 Series Standards: During planning and manufacturing, ensure that radio equipment integrates essential security features, such as preventing unauthorized access, implementing data protection, and securing firmware updates. Mastering the EN 18031 standards, although not currently a coordinated standard for RED, provides valuable reference for meeting RED's security requirements.

3. Monitor Regulatory Changes: The RED regulations may be updated, so regularly check for the latest regulatory requirements to ensure devices remain compliant with current standards.

4. Check Device Applicability under RED Article 3.3: This includes devices capable of Internet communication, whether directly or indirectly connected, such as wearable technology, portable devices, and those for transferring funds or virtual currency, as well as children’s toys or monitoring devices.