RED Delegated Act: Mandatory compliance to articles 3.3 d, e and f inbound
Nowadays smart devices can be found in almost every household. These devices usually collect, store and transmit data from the user in one way or another. Too often, these devices are by default not or insufficiently protected against hacks, data leaks, etc. which are available on the European market. Compliance to the ETSI EN 303 645 articles 3.3 d, e and f of the Radio Equipment Directive (2014/53/EU) will become mandatory through means of a delegated act. The proposed adoption period starts from October 2021, with a 30 month transition period. After the transition period compliance to these three articles will become mandatory.
One way to proof compliance to the aforementioned articles is by making use of the ETSI EN 303 645. The European Telecommunications and Standardization Institute (ETSI) has developed the standard ETSI EN 303 645, which ensures a baseline of cybersecurity for consumer IoT products. For consumer IoT products the ETSI 303 645 used to proof compliance to the three articles, whereas for industrial IoT products and components the IEC 62443-2-4 is used as a basis for the assessment.
The Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for placing radio equipment on the market. It ensures a single market for radio equipment by setting essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It also provides the basis for further regulation governing some additional aspects. These include technical features for the protection of privacy, personal data and against fraud. Furthermore, additional aspects cover interoperability, access to emergency services, and compliance regarding the combination of radio equipment and software.
What is exactly happening?
To ensure continuation of its purposes when it comes to the protection of privacy and personal data, EUwill make compliance to articles 3 d, e and f of the RED mandatory through the means of an Delegated Act. The proposed adoption period starts from October 2021, with a 30-month transition period. After the transition period compliance to these three articles will become mandatory. Delegated Acts are legally binding acts that enable the Commission to supplement or amend non‑essential parts of EU legislative acts, for example, in order to define detailed measures.
Why is this happening?
Compliance to articles 3.3 d, e and f will become mandatory to ensure that products that enter the European market have a basic level of cybersecurity to ultimately protect end-users/consumers.
What is the exact scope?
The essential requirement set out in Article 3(3) (d) of Directive 2014/53/EU shall apply to any of the following devices, in so far as those devices are internet-connected:
- Radio devices;
- Toy devices;
- Wearable devices.
The essential requirement set out in Article 3(3) (e) of Directive 2014/53/EU shall apply to any of the following devices, in so far as those devices are capable of processing any data:
- Radio devices which are internet-connected;
- Toy devices;
- Wearable devices.
What does this mean for you as a manufacturer?
For European market access your device must comply with the essential requirements of the RED 3.1a: safety and health, 3.1b: electromagnetic compatibility, and 3.2; the efficient use of the radio spectrum. With the activation of this Delegated Act the current range of the essential requirements will be extended with article 3.3: Cyber security assessments. This means that after formal confirmation of the delegated act your products will have to be evaluated according to both the current RED essential requirements and to the new articles 3.3 d, e and f. See the following alinea to discover what the timeline looks like. For European market access of wireless products it is mandatory that your product meets all the essential requirements of the RED.
What does the timeline look like?
The proposed date of adoption is October 2021. After the adoption commences there will be a transitional period of 30 months. After this transitional period compliance to the articles 3.3 d, e and f is mandatory. Kiwa can help you!
It is very important to prepare for the changes that this Delegated Act will bring for your current procedures when it comes to RED compliance. Though it can seem complex and cybersecurity in itself can be challenging, Kiwa can assist you with your RED compliance and answer any questions you may have. Contact us at by phone (+31 (0)88 998 33 70) or email (CyberSecurity.Certification@kiwa.com).