Compulsory cybersecurity for CE marking: rules and procedures

IT security is a necessary requirement for obtaining the CE marking for radio equipment, thanks to the provisions of the European Commission on the matter. The Delegated Regulation (EU) 2022/30 – entered into force on 11/02/2022 – finds its application starting from 01/08/2024, giving manufacturers a transition period necessary to adapt devices to the new requirements.

The Regulation in question applies the conformity requirements referred to in Article 3, paragraph 3, letters d), e) and f) of the RED Directive, with the aim of increasing the cybersecurity, the protection of personal data and the fraud protection for the devices involved and available on the EU market.

Products subject to cybersecurity updates

There RED Directive (Radio Equipment Directive) dedicated to radio equipment – and therefore to IoT devices and instruments with commonly used wireless technology – defines the areas to which the new requirements apply, including the vast majority of connected devices used in everyday life.

The new regulatory framework applies to all radio equipment – who can communicate via the Internet, either directly or via other equipment – that process personal, traffic and location data. It applies to devices dedicated to children; to radio equipment intended to be worn, or secured or attached to any part of the human body or clothing; to radio devices compliant with the sui directive toys; to Internet-connected radio equipment that allows the money transfer.

Various devices are excluded from the scope of application of the RED directive, such as vehicles covered by Regulation (EU) 2019/2144 and devices connected to Civil Aviation, which Regulation (EU) 2018/1139 deals with. Furthermore, among others, electronic toll systems regulated by Directive (EU) 2019/520 and medical devices to which Regulation (EU) 2017/745 and Regulation (EU) 2017/746 apply are excluded.

The essential requirements for computer security

As made known by Article 3 of the RED Directive 2014/53/EU, to comply with the regulatory framework, the radio equipment above have to answer some requirements, among which:

  • do not damage the network or its functioning, nor abuse the resources of the network thus causing an unacceptable deterioration of the service;
  • contain safeguard elements for ensure the protection of personal data and the privacy of the user and subscriber;
  • support special features that allow you to protect yourself from fraud.

The standards necessary to specify the safety, security and data protection provisions for radio, IoT and wireless devices and their interactions are the ETSI EN 303 645 “CYBER; cybersecurity for Consumer Internet of Things: Baseline Requirements” and the series of Standard IEC 62443 “Industrial communication networks – Network and system security”.

IT security and manufacturer obligations

Manufacturers of devices relating to Article 3 of the RED Directive are required to evaluate the compliance of products in terms of cybersecurity. In addition to evaluation of the IT security of a product – according to the available standards – you can aim to identify the aspects of the device under consideration that need improvement, to decide whether to make the current product compliant or modify the characteristics of the next product.

Given the relative brevity of the transition period – considering the large volume of products that need to be brought into compliance – manufacturers should adapt devices to cybersecurity regulations quickly, as already done by many companies in the sector, to avoid the risk of delays or sanctions close to the date of entry into force.

To request further information on this topic, write to info@sicomtesting.com
or call +39 0481 778931.

Related articles

Questions and comments

If you have any questions or comments
Sicom Testing will be happy to answer you.