UL Solutions Cybersecurity for RED Compliance

Overview of the Radio Equipment Directive (RED) 2014/53/EU

Key provisions of RED 

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. Article 3.3 of the Directive includes device requirements related to specific categories of radio equipment, ranging from common interfaces to cybersecurity.

Timeline for compliance

On Jan. 12, 2022, the Official Journal of the European Union published delegated Regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation aims to provide network security, personal data protection, and privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It took effect Feb. 1, 2022, and becomes mandatory on Aug. 1, 2025, giving device manufacturers a 42-month transition period.    

Detailed analysis of RED Article 3.3 cybersecurity requirements

RED Article 3.3 Cybersecurity

Network protection under Article 3.3(d)

Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting functionality.

Personal data and privacy under Article 3.3(e)

Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.

Anti-Fraud Measures under Article 3.3(f)

Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as improved user authentication control to minimize fraudulent electronic payments and monetary transfers.

Scope and impact of RED cybersecurity requirements

Devices covered by the new regulation

The new regulation covers devices that can communicate over the internet, whether directly or via other equipment. Radio equipment that may expose sensitive personal data is also in scope. For example:

• Mobile phones, tablets and laptops
• Wireless toys and children’s safety equipment, such as baby monitors
• Wearable devices, such as smartwatches and fitness trackers

Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to Article 4(1) and 4(2) of EU Regulation 2016/679 and Article 2(b) and (c) of Directive 2002/58/EC).

Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in Article 2(d) of EU Directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry, such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.

Exemptions and special considerations

Devices already within the scope of EC Regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or Directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 (e) and (f) but shall comply with Article 3.3 (d).

Why choose UL Solutions for RED cybersecurity compliance

Expertise in cybersecurity and compliance

RED impacts any manufacturer producing radio equipment to be sold on the EU market.

Manufacturers will be responsible for cybersecurity throughout the entire life cycle of the device. UL Solutions can help you progress towards RED compliance with advisory services that highlight gaps and provide educational guidance that can help you reach your objectives.

Comprehensive support from strategy to implementation

UL Solutions can support you regardless of your current development stage. For early-stage projects, we can help you understand how to apply security-by-design and embed security in your governance and processes. To this end, we offer training and workshops led by our security experts to equip your team with the knowledge to successfully implement your products.

For projects in a later development stage, we can assist you with a gap analysis or full compliance assessment to EN 18031-1/EN 18031-2/EN 18031-3,  EN 303 645 and IEC 62443-4-2, which will help you increase the security posture of your products. The latter two standards have requirements that overlap with those to address the Essential Requirements for RED and will greatly support your readiness for RED.

Compliance advisory and training services

RED DA and EU Regulatory Landscape Workshop

This workshop provides an overview of the EU cybersecurity regulatory landscape, setting the stage for a deeper understanding of the RED DA for Article 3.3(d), (e) and (f) and its importance in enhancing the security and privacy of connected devices along with the future impacts of the Cyber Resilience Act.

Advisory services

We offer training services for customers at every step of their journey toward RED compliance.

• Basic – Level 1: Initiation

  Basic advisory services are designed for manufacturers starting their journey into the RED DA and looking for an expert to help identify the major gaps toward future compliance.

• Substantial – Level 2: Developing

  Substantial advisory services are designed for manufacturers that have already started working on their compliance with RED DA and have prior experience with cybersecurity certifications.

• High – Level 3: Defined

  These services are designed for manufacturers that are well on track on their journey to compliance with RED DA and looking for an expert to evaluate their work.

Conformity assessment services

In some cases, manufacturers must demonstrate the conformity of their products through assessment by an NB. As an NB, UL Solutions can provide assessment services for Article 3.3 (d), (e) and (f) of the RED. This will allow manufacturers to confirm compliance earlier than the mandated date of Aug. 1, 2025, helping them avoid a potential peak period of product testing.

In addition, to help manufacturers enter global markets smoothly, we provide assessment, testing and certification services for:  

• EN 303 645: Cybersecurity for Consumer Internet of Things
• The Cyber Resilience Act (CRA)
• ISA/IEC 62443: Security for Industrial Automation and Control Systems
• The U.K. Product Safety and Telecommunications Infrastructure Act (PSTI)
• US NISTIR 8259A: IoT Device Cybersecurity Capability Core Baseline
• US NISTIR 8425: Profile of the IoT Core Baseline for Consumer IoT Products
• California Internet of Things Security Act SB 327
• Singapore Cybersecurity Labeling Program (CLS)
• UL Verified IoT Device Security Rating (MCV 1376)
• ISO 27001: Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems
• FIPS 140-3
• Common Criteria

Summary of RED cybersecurity compliance 

The Radio Equipment Directive (RED) 2014/53/EU introduces crucial cybersecurity requirements for internet-connected devices and those handling sensitive personal data. Solutions and technical specifications are available to help you meet these requirements. Manufacturers must comply with these regulations by Aug. 1, 2025. UL Solutions offers comprehensive support for RED compliance, including advisory services, gap analysis and conformity assessments. The expertise covers various stages of product development, from early-stage security-by-design implementation to later-stage compliance evaluations. Given the complexity of these new regulations and the approaching deadline, manufacturers are encouraged to contact UL Solutions for guidance and support in achieving RED compliance and ensuring their products meet the necessary cybersecurity standards for the EU market.