Advice for OEMs Preparing for Security Regulation in Europe

How Should the Electronics Industry Prepare for the Radio Equipment Directive (RED) and the EU Cybersecurity Resilience Act (CRA)?

Skip to content

From the beginning of PSA Certified, the founders have worked together to monitor the ever-changing regulatory landscape surrounding security in IoT and connected devices.  With the publication of draft requirements from the EU Commission, device manufacturers, software suppliers and chip vendors will be aware that they need to prepare for forthcoming regulation. The detailed security requirements are still in development, but when they come into force, they will affect most of the electronics industry that want to sell products in Europe. This blog covers two of the most prominent regulations emerging in Europe, what they mean for you, and how you can prepare.

What is the Radio Equipment Directive (RED)?

The RED directive will apply to wirelessly connected devices (also referred to as “Radio Equipment” and shortened to “Equipment”) sold in the EU from August 2024.  The detailed security requirements are being written by CEN-CENELEC’s JTC 13 Working Group 8 experts and are expected to be based on EN 303 645.  Since most IoT and connected products integrate wireless radios and network stacks such as WiFi and Thread and most manufacturers will want to sell into Europe, the technical RED requirements will be of great importance to the market. The legislation aims to: improve network resilience, protect consumers’ privacy and reduce the risk of monetary fraud. The technical requirements are expected to focus on baseline cybersecurity requirements that will help safeguard Equipment from basic security attacks.  Manufacturers will be able to perform a self-assessment if the product is designed in accordance with a harmonised standard or rely on third-party assessment.

What is the Status of the Radio Equipment Directive (RED)?

Device makers are waiting for the next version of CENELEC’s draft to be published so that they can design to meet the detailed requirements and tests.  RED cybersecurity requirements are a “known unknown” for the industry at the time of writing; hopefully, all will become clear soon.

As a Device Manufacturer, How Can I Prepare for the Radio Equipment Directive (RED)?

In the absence of published security requirements, a sensible course of action is ensuring that the connected device meets at least the minimum requirements of EN 303 645. The PSA Certified founders aligned with EN 303 645 and its predecessors from 2019 and today PSA Certified Level 1 security evaluation continues to map to the ETSI specification’s mandatory device requirements. PSA Certified additionally includes the NIST Cybersecurity baseline requirements from NIST 8259A and the PSA Security Model Goals. When the technical requirements from RED become available, the plan is to ensure they, too, are mapped in a future version of PSA Certified Level 1. 

What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act has an even broader scope than RED as it applies to “products with digital elements”. The requirements will cover almost the entire electronics industry in its current draft proposal stage, including chips, software, devices and apps. It considers the lifecycle of products as well as baseline security requirements, for example, asking for five years of updates. Products are split into three categories with varying conformance approaches: self-assessment for non-critical, 3rd party assessment or application of a standard for Critical Class I products, and 3rd party under a national body for Critical Class II products. The draft requirements are functional in style with 12 technical requirements, 8 regarding vulnerability handling and 9 on information.  

What is the Status of the EU Cyber Resilience Act?

Unlike RED, the EU Cyber Resilience Act isn’t yet law. However, the draft requirements were published in September 2022 and since it is likely to be several years before it becomes legislation there is plenty of time for the industry to consider how to respond.

As a Device Manufacturer, How Can I Prepare for the EU Cyber Resilience Act?

As with RED, a sensible approach as a device manufacturer is to adhere to cybersecurity best practices. PSA Certified has publicly stated its intention to include the draft technical requirements from EU CRA in the next version of PSA Certified Level 1 that is planned for Q2 2023.

How Will RED and the EU Cyber Resilience Act Work Together?

It is still being determined how RED directive requirements and EU CRA will play together. However, it’s clear that if you are a maker of a connected thermostat with a product in September 2024 you will need to self-assess for RED requirements (currently in development).

What still needs to be clarified is what happens when the EU Cyber Resilience Act becomes law. For example, if you launch another product in September 2026 will you have to do two assessments: one for RED and another for EU CRA? There are some positive signs, as the EU CRA proposal has a section on “interplay” with RED, however it is difficult to know for sure if RED requirements will be retired when EU CRA is in force. Therefore, it is probably safer to prepare for two separate security assessments.

Of the two initiatives, the urgent one to respond to is the RED directive but we are all waiting for a published version of cybersecurity requirements from CENELEC. EU CRA is on a longer horizon and the publication of the draft enables companies to start preparing. 

How Can PSA Certified Help You Prepare for Legislation?

If you’re new here, you may not know that PSA Certified is an independent security evaluation scheme for IoT and connected chips, system software and devices. Our mission is to make it easier and quicker for the value chain to build secure by design products that start with a hardware Root of Trust and prove it through lab-based assessment.

PSA Certified is maintained by a board of co-founders, who are all committed to monitoring the security landscape to ensure we’re proactively preparing manufacturers for upcoming legislation. As mentioned in the blog, the PSA Certified Level 1 certification is already aligned to the security requirements of ETSI EN 303 645, NIST 8259A and the PSA Certified Security Model 10 Goals. We have made commitments that our future versions will be updated to track important regulatory requirements (such as EU CRA).

If you would like to find out more about PSA Certified and how it unifies the security requirements from NIST and ETSI head over to our PSA Certified Level 1 landing page here.