6 June 2023

UPDATE: RED Delegated Act: Mandatory compliance to articles 3.3 d, e and f

Last updated on 9/08/2023.

On 29 October 2021, the European Commission adopted the RED Delegated Act activating Article 3.3 (d), 3.3 (e) and 3.3 (f) for both consumer and professional/industrial products (C(2021) 7672 1). On 12 January 2022 this supplement to the RED was officially published in the Official Journal of the European Union.

Article 3 of the RED Directive: 2014/53/EU will mandate the following essential requirements regarding cybersecurity:

  • (d) Radio equipment does not harm the network or its functioning nor misuses network resources, thereby causing an unacceptable degradation of service;
  • (e) Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;
  • (f) Radio equipment supports certain features ensuring protection from fraud.

By means of this Delegated Act, these three subarticles of the RED are now activated and the indication is that compliance will become mandatory from the 1 August 2025.

How to be compliant?

For compliance to Article 3.3 of the RED, the directive states the following: ‘Where, in assessing the compliance of radio equipment with the essential requirements set out in Article 3(2) and (3), the manufacturer has not applied or has applied only in part harmonized standards the references of which have been published in the Official Journal of the European Union, or where such harmonized standards do not exist, radio equipment shall be submitted with regard to those essential requirements to either of the following procedures: (a) EU-type examination that is followed by the conformity to type based on internal production control set out in Annex III; (b) conformity based on full quality assurance set out in Annex IV.’

Two routes

This means that there are two routes which can be followed in order to be compliant with the articles:

  • Harmonized standards
    The first route is via Module A and self-assessment procedure. This route is only possible when there are harmonized standards available and published in the official journal of the EU. At the moment, the CEN/CENELEC is developing three standards (with the goal of these standards eventually becoming harmonized). The planned publication of the standards is 22 December 2023, the harmonization and adoption of the standards will follow. It is not yet defined when these standards will be harmonized and adopted.
  • EU-type examination by a notified body
    The second route which can be followed by manufacturers is module B+C, in which an EU-type examination certificate (Module B) will be issued by a Notified Body and the manufacturer has to guarantee and declare internal production control (Module C). The RED defines an EU-type examination as follows: ‘The notified body shall examine the technical documentation and supporting evidence to assess the adequacy of the technical design of the radio equipment. The notified body shall draw up an evaluation report that records the activities undertaken and their outcomes. Where the type meets the requirements of this Directive that apply to the radio equipment concerned, the notified body shall issue an EU-type examination certificate to the manufacturer.’

In general this means that a Notified Body, like Kiwa, will examine the manufacturers technical documentation and issue an EU-type examination certificate if the product complies with the applicable articles. The Notified Body will look into the intended use of the product and which currently available, state-of-the-art standard will fit best, to cover the articles 3.3 d, e & f of the RED.

Available cyber security standards

Currently there are a few available cybersecurity standards which can be used to evaluate the cybersecurity of products and their associated services. Below you can read more about the ETSI EN 303 645 and the IEC 62443-4-2. These standards are currently being used by Kiwa to evaluate products.

  • ETSI EN 303 645
    Contains cybersecurity requirements and procedures for IoT consumer products. This not only concerns smart devices themselves, but also sensors and operating parts of these devices and their associated services such as mobile apps, web interfaces etc.  The standard consist of 60+ requirements which will look into, among other things, the protection of personal data, password mechanisms, communication protocols and secure update procedures. The underlying test standard is the ETSI TS 103 701.
  • IEC 62443-4-2
    The IEC 62443 standard is intended to secure Industrial Automation and Control Systems (IACS). It provides a systematic and practical approach that covers every aspect of cybersecurity for industrial systems. There are four series of IEC 62443 standards, aimed at four different IACS categories: General, Policies & procedures, System and Components. The IEC 62443-4-2 has technical security requirements for IACS components and looks into e.g. identification and authentication aspects, user control and resource availability.

How can Kiwa be of help?

Kiwa is one of the first organizations to be officially listed by European Commission as a Notified Body for the Articles 3.3 d/e/f/g and 3.4, the latest activated articles of the Radio Equipment Directive (RED) (2014/53/EU). After a thorough audit procedure, Kiwa has passed all criteria and has been granted the Notified Body status, now under the sharpened rules, for RED Article 3.3 d/e/f/g and 3.4.

In January 2023 the European Commission sharpened their designation of Notified Bodies for the relatively newly activated RED Articles 3.3 d/e/f/g. Because of the rather different kind of requirements, compared to the existing articles, Notified Bodies had to be re-evaluated in order to check if they had the expertise and competences to issue a verdict on radio equipment on this level.

EU-type examination

Harmonized standards which cover articles 3.3 d/e/f/g are currently unavailable, hence an internal production control (Module A) based on harmonized standards is not possible at the moment. To comply in the meanwhile, manufacturers can follow the Module B + C procedure. For this procedure, manufacturers have to apply with an approved Notified Body to perform an EU-type examination. These Notified Bodies can be found on the European Commission website NANDO.

Certificate

During a EU-type examination the Notified Body will examine the manufacturers technical documentation and issue an EU-type examination certificate if the product complies with the applicable articles. Kiwa is now one of the first and very few Notified Bodies able to issue an EU-type examination certification conform the sharpened rules of the European Commission.

More information

For more information on the Radio Equipment Directive (2014/53/EU), check the RED info on our website. For information on RED Articles 3.3 d, e and f, please download our whitepaper or check the news item on the RED Delegated Act. For any specific requests, please contact us via NL.cybersecurity@kiwa.com or +31 (0)88 998 3370.