Cybersecurity protection for radio equipment

The Radio Equipment Directive (RED, 2014/53/EU) is the central EU directive for radio equipment. A Delegated Act (EU) 2023/2444 was adopted as a revision of the RED to also ensure compliance with modern cybersecurity requirements. In particular, the directive has been extended to include devices that communicate over the Internet using a radio interface. Certain other devices and equipment (e.g. childcare products, toys, wearables) are also included, insofar as they can process personal data, traffic data or location data.

The directive regulates requirements for safety and health and the efficient use of the radio spectrum for all devices that exchange information wirelessly – from smartphones and WiFi routers to smart home applications, IoT devices and industrial systems with wireless components. Smart and networked devices, such as wearables, which process personal data or share it with commercial networks, are similarly affected. Protection against fraud must be ensured for all Internet-connected radio equipment that can transfer money or monetary/virtual assets.

The Delegated Act sets out specific exceptions within this context for radio equipment that is already covered by other EU legislation and is therefore exempt from these new cybersecurity requirements. Such exemptions include, for example, medical devices, in vitro diagnostics, motor vehicles, aviation products, electronic toll systems, etc.

The revised RED should therefore ensure that networked devices are protected against cyberattacks and comply with data protection regulations. With the new requirements coming into effect on 1 August 2025, urgent action is required by manufacturers, importers and distributors of radio products. “Although Switzerland is only indirectly affected as a non-EU country, Swiss companies must also comply with the requirements from the date of introduction in the EU if they are operating in the EU”, says Jürgen Messerer, Embedded Software Architect at bbv.

Which companies are affected by the RED – and what needs to be done now

Companies that develop, place on the market or operate the relevant radio equipment must meet the requirements of both the RED and the CRA. “This also includes carrying out conformity assessments, creating technical documentation and attaching the CE marking”, explains Jürgen Messerer. Others businesses impacted include those that repair wireless communication devices, integrate them into their products or import such devices from third countries into the EU or Switzerland. These organisations are recommended to develop a strategy now to implement the two regulations. The transition period ends on 1 August 2025, after which non-compliant products may no longer be sold or operated in the EU.

Jürgen Messerer advises companies to perform the following clarifications and measures depending on the type of product:

• Perform a product analysis: A technical and regulatory analysis of own products is recommended to find out whether a product complies with RED 2023/2444. It must be clarified which products use radio technologies and whether they are subject, in principle, to the RED. Are these products already certified or do they need to be retrofitted? An analysis of the current security requirements is necessary for this purpose as well as threat modelling.
• Check the cybersecurity requirements: Do the devices comply with the new data protection, data security and network security requirements? Are mechanisms in place to prevent manipulation or attacks on wireless communication? A comprehensive threat analysis can provide information in this regard.

• Prepare tests and certification: To ensure that the security requirements are validated, security and penetration tests have to be carried out. Similarly, procedures are required to monitor product safety and implement corrective measures in the event of errors.
• Customise software and firmware protection: Companies must ensure that all devices are regularly provided with security updates and that monitoring is put in place. It may also be necessary to implement secure authentication and encryption mechanisms. In addition, safe disposal of radio equipment must be ensured.
• Update technical documentation: Manufacturers must provide detailed information and instructions for secure use of the devices. The documentation must be accessible to users and market surveillance authorities. The documentation requirement also covers amendments to the declarations of conformity, the introduction of CE markings and the preparation of technical documentation, which also contains current risk assessments for cyber threats. Security guidelines must be made available. These guidelines indicate the security features of a product and how it can safely be put into operation and hardened in the event of a security incident.
• Agree a compliance strategy with suppliers and partners: Have all suppliers and manufacturers along the supply chain been informed of the new requirements? Are you already complying with the current directive? The contractual provisions for compliance with the new cybersecurity requirements should be adjusted if necessary.

How can bbv help to implement the RED?

Practical implementation and proof of conformity are often provided through compliance with specific harmonised standards such as EN18031, which cover the technical details of the requirements. bbv supports companies by providing holistic solutions to ensure compliance with the RED and the new cybersecurity requirements in accordance with the CRA, NIS-2 and IEC62443. This provides certainty that the corresponding products will remain legally compliant and secure after 1 August 2025, too.

• Compliance check and risk assessment
  bbv carries out a detailed analysis (cybersecurity risk assessments including threat analysis) to check if products fall under the RED and if they comply with the new security requirements set out in the RED. bbv experts help in this regard to identify potential weaknesses in radio equipment and implement secure authentication mechanisms. In addition, bbv offers regulatory advice and a compliance check as part of which the existing security mechanisms are reviewed.
• Development of secure digital components
  If a product includes software or smart functions, we help to implement secure architectures and software updates to meet the requirements of the RED. In terms of software development, bbv can design products securely from the ground up thanks to Security-by-Design in order to mitigate cyber risks in advance.
• Optimisation of traceability and technical/regulatory documentation
  bbv develops solutions for seamless product traceability to comply with regulatory requirements and make recall processes more efficient. bbv experts can handle preparation and conformity assessments for CE markings and also provide support for performing penetration and security tests.
• Integration of cybersecurity measures
  Since the RED also covers digital components that communicate wirelessly, bbv offers security solutions for corresponding products to protect companies against potential cyber risks. For example, there are ways to technically implement cybersecurity requirements, develop secure firmware and software architectures and protect IoT and smart devices against cyber attacks.
• Training
  bbv offers targeted workshops for companies to familiarise employees with the new requirements of security directives and to share best practices for implementation. The workshops raise awareness of the issue of cybersecurity and introduce the most important topics. Participants work together in groups to jointly identify action areas in your company and develop a concrete roadmap for potential measures.