Radio Equipment Directive (RED) Delegated Act for Cybersecurity Officially Postponed to 2025: What Does it Mean?

The European Commission (EC) has taken measures to strengthen the cybersecurity of wireless devices and products available in the European market by adopting a delegated act under the Radio Equipment Directive (RED). Originally scheduled for enforcement in August 2024, this regulation has been postponed to 2025, due to ongoing preparation of harmonized standards.
Consequently, all wireless devices and products sold in the European market will be required to comply with the RED delegated act effective from August 1, 2025.

In anticipation of the release of harmonized standards, manufacturers can already start their compliance preparations now with the support of SGS Brightsight. They can certify their IoT products against globally recognized cybersecurity standards like ETSI EN 303 645 and IEC 62443-4-2. These standards include requirements that align with the cybersecurity provisions outlined in RED, effectively equipping manufacturers for the upcoming regulatory framework. By partnering with a SGS Notified Body, manufacturers can undergo the evaluation process and receive the SGS Cybersecurity Mark as a stamp of approval. With the SGS Cybersecurity Mark manufacturers can showcase their readiness and compliance with RED requirements before these become mandatory, demonstrating market differentiation and enhancing consumer confidence in their product's safety and reliability.

Scope of RED security requirements: who needs to comply?

Device Categories

The RED delegated act introduces new legal requirements for developers of wireless devices and products at risk from cyber-attacks and privacy issues. These requirements apply to the following device categories:

Devices capable of communicating via the Internet, including electronic devices such as smartphones, tablets and electronic cameras, as well as telecommunication equipment and IoT devices
Toys and childcare equipment, including baby monitors
Wearable devices, such as smartwatches and fitness trackers

Legislation

In accordance with Article 3(3) of Directive 2014/53/EU (RED), the legislative requirements include essential elements to ensure protection against cybersecurity risks, which are as follows:

Network protection – Article 3(3) d
Protection of personal data and privacy – Article 3(3) e
Protection from monetary fraud – Article 3(3) f

Conformity Assessment

The manufacturers, when performing the conformity assessment procedures before placing their products on the European Union (EU) market, will have the choice between two possibilities:

Perform a self-assessment in accordance with the harmonized standards, possible after their expected official publication around June 2024
Rely on a third-party assessment report provided by a security laboratory and a SGS Notified Body to obtain the EU-type certification letter

How can SGS Brightsight support you?

Leveraging our extensive experience and expertise gained from cybersecurity evaluations of various products and solutions, we have developed a comprehensive, step-by-step approach to guide you through each stage of the evaluation and certification process. Our scope encompasses the full range of training, pre-assessment and evaluation services, enabling you to fast-track your time to market.

Training/workshops

Aim at helping manufacturers and developers gain a deeper understanding of the specific security requirements relevant to their products

Product design review

We can support you in the initial phases of product development with a thorough product design review and vulnerability scan

Product testing

We can conduct a pre-market assessment using ETSI TS 103 929 mapping to RED, followed by a comprehensive evaluation against the ETSI EN 303 645 standard

SGS Cybersecurity Mark

Upon successfully completing the evaluation assessment, we will issue a cybersecurity mark to demonstrate your product's adherence to the highest security standards

EU Type Certificate

SGS Notified Body will issue an EU Type Certificate including RED Articles 3(3)(d), (e) and (f)

Why choose SGS Brightsight as your security laboratory?

SGS Brightsight joined the SGS Group – the world’s leading testing, inspection and certification company – in 2021. With over 35 years of experience, and a growing global network of state-of-the-art laboratories, we provide comprehensive training and evaluation solutions to operators in all industry sectors. We operate across 10 locations around the globe, employ over 170 specialist security evaluators and perform in excess of 700 evaluations a year – making SGS Brightsight the number one independent security evaluation service provider in the world.

Would you like to learn more about how we can help you prepare for compliance with RED and the SGS Cybersecurity Mark? Contact our security experts today.