Mandatory cybersecurity for CE marking: Rules and procedures

Cybersecurity is a necessary requirement for obtaining CE marking for radio equipment, thanks to the provisions of the European Commission on the subject. The Delegated Regulation (EU) 2022/30 – entered into force on 11/02/2022 – find its application starting from 1/08/2024, giving manufacturers a necessary transition period to adapt devices to the new requirements.

The Regulation in question applies the conformity requirements set out in Article 3, section 3, Letters D), and) and f) of RED Directive, in order to increase the cybersecurity, the Protection of personal data it is to Fraud protection for devices involved and available on the EU market.

Products subject to cybersecurity update

The RED Directive (Radio Equipment Directive) dedicated to Radio equipment – and therefore to IoT devices and instruments with commonly used wireless technology – defines the areas to which the new requirements apply, including the vast majority of connected devices that are used in everyday life.

The new regulatory framework applies to all radio equipment – that can communicate over the Internet, either directly or through other equipment – that process personal data, on traffic and location. Applies to devices dedicated to children; radio equipment intended to be worn, or secured or hung on any part of the human body or garment; radio devices complying with the Directive on toys; radio equipment connected to the Internet which allows Money transfer.

Various devices are excluded from the scope of the RED Directive, such as vehicles affected by the Regulation (EU) 2019/2144 and devices connected to Civil Aviation, of which the Regulation deals (EU) 2018/1139. Among others, Furthermore, electronic toll systems governed by the Directive are excluded (EU) 2019/520 and medical devices to which the Regulation applies (EU) 2017/745 and the Rules of Procedure (EU) 2017/746.

The essential requirements for cybersecurity

As announced by the Article 3 of the RED Directive 2014/53/EU, to comply with the regulatory framework, the Radio equipment above must respond to some Requirements, including:

  • Do not damage the network or its operation, nor misuse network resources thereby causing an unacceptable degradation of service;
  • contain safeguards for ensure the protection of personal data and the private life of the user and subscriber;
  • Support special features that allow you to protect yourself from fraud.

The standards necessary to specify safety provisions, Protection and data protection for radio devices, IoT and wireless and their interactions are the Standard ETSI EN 303 645 "CYBER; cybersecurity for Consumer Internet of Things: Baseline Requirements" and the series of Standard IEC 62443 "Industrial communication networks – Network and system security".

Cybersecurity and manufacturer's obligations

The manufacturers of devices related to the article 3 of the RED Directive are required to assess the compliance of cybersecurity products. In addition to the Assessing the cybersecurity of a product – according to the available standards – you can aim to identify the aspects of the device under consideration that need improvement, to decide whether to bring the current product into conformity or change the characteristics of the next product.

Given the relatively short transition period – considering the large amount of products that need to be brought into compliance – manufacturers should Adapt devices to cybersecurity regulations quickly, as already done by many companies in the sector, to avoid the risk of delays or penalties close to the date of entry into force.

To request more information on this topic, write to
or call +39 0481 778931.

Related Articles

Questions and comments

If you have questions or comments
Sicom Testing will be happy to answer you.