RED DELEGATED REGULATION
RED Directive (Radio Equipment Directive) is a European Union regulation that establishes technical and safety requirements for radio equipment and telecommunications terminal equipment placed on the European market. Its primary goal is to ensure that products using wireless technologies (mobile phones, Bluetooth devices, Wi-Fi equipment, radios, etc.), are safe and compliant with quality standards.
New Cybersecurity requirements
Protection against cyber threats: Radio equipment is vulnerable to cyber threats.
Cybersecurity requirements for the RED help to ensure that radio equipment is designed and manufactured in such a way that it can resist cyber threats, and protect the confidentiality, integrity, and availability of data transmitted and received by the equipment.
Compliance with regulations: Compliance with cybersecurity requirements is mandatory for manufacturers of radio equipment before placing their products on the market or putting them into service. Failure to comply with these requirements can result in severe penalties and damage to a company’s reputation.
Ensuring interoperability: Cybersecurity requirements for the RED help to ensure that radio equipment is designed and manufactured in such a way that it is interoperable with other devices and systems. This ensures that radio equipment can work seamlessly with other devices and systems, without compromising the security and privacy of users.
Protecting personal data: Radio equipment may transmit and receive personal data, and as such, it is essential to ensure that this data is protected against unauthorized access and theft.
RED Directive Family of Security Standards:
| Document | Covers the essential requirements of | Addresses security assets and risks | Addresses network assets and risks | Addresses privacy assets and risks | Addresses financial assets and risks |
| FprEN 18031-1 | 3.3.(d) | ✔ | ✔ | × | × |
| FprEN 18031-2 | 3.3.(e) | ✔ | × | ✔ | × |
| FprEN 18031-3 | 3.3.(f) | ✔ | × | × | ✔ |
Common security requirements for radio equipment
- FprEN 18031-1 Common security requirements for radio equipment – Part 1: Internet connected radio equipment.
- FprEN 18031-2 Common security requirements for radio equipment – Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment.
- FprEN 18031-3 Common security requirements for radio equipment – Part 3: Internet connected radio equipment processing virtual money or monetary value.
RED Security Standards Requirements:
| Requirements | 3.3.(d) | 3.3.(e) | 3.3.(f) |
| [ACM] Access control mechanism | ✔ | ✔ | ✔ |
| [AUM] Authentication mechanism | ✔ | ✔ | ✔ |
| [SUM] Secure update mechanism | ✔ | ✔ | ✔ |
| [SSM] Secure storage Mechanism | ✔ | ✔ | ✔ |
| [SCM] Secure communication mechanism | ✔ | ✔ | ✔ |
| [LGM] Logging mechanism | – | ✔ | ✔ |
| [DLM] Deletion mechanism | – | ✔ | – |
| [UNM]User notification mechanism | – | ✔ | – |
| [RLM] Resilience mechanism | ✔ | – | – |
| [NMM] Network monitoring mechanism | ✔ | – | – |
| [TCM] Traffic control mechanism | ✔ | – | – |
| [CCK] Confidential cryptographic keys | ✔ | ✔ | ✔ |
| [GEC] General equipment capabilities | ✔ | ✔ | ✔ |
| [CRY] Cryptography | ✔ | ✔ | ✔ |
The standards use the concept of mechanisms to address specific security requirements to facilitate the applicability and appropriateness of the requirements to different types of implementations and use of equipment.
The first requirement of a mechanism concerns applicability. These requirements may have an “unless” component that lists potential conditions for which the mechanism is not required.
If the mechanism is determined not to be applicable, all other requirements of that specific clause are no longer mandatory.
When a mechanism is required, sufficiency is determined by evaluating the type of adequacy of the requirement and the evaluation criteria.
Any supporting requirements in the clause also apply.
Application and Structure
- 3.3.d Protection of the Network
Application
It shall apply to any radio equipment that can communicate over the Internet, either directly or through any other equipment (“Internet-connected radio equipment”).
- Art 3.3.e Protection of personal data and privacy
Application
It shall apply to any of the following radio equipment:
- a) radio equipment designed or intended solely for the care of children;
- b) radio equipment covered by Directive 2009/48/EC (Toys);
- c) radio equipment designed or intended, whether or not exclusively, to be worn, fitted or hung.
- d) If they are capable of processing personal data or traffic and location data.
- e) Internet-connected radio equipment other than those mentioned above.
Definitions
- Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is any person whose identity can be established, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Traffic data: any data processed for the purpose of carrying out a communication over an electronic communications network or for the purpose of billing the same.
- Location data: any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a publicly available electronic communications service.
- 3.3.f Fraud Protection
Application
It shall apply to any radio equipment connected to the internet, if such equipment allows the holder or user to transfer money, monetary value or virtual currencies. Virtual currencies means a digital representation of value that is neither issued nor guaranteed by a central bank or public authority, is not necessarily associated with legal tender and does not necessarily have the legal status of currency or money, but is accepted by natural or legal persons as a medium of exchange and can be transferred, stored and traded by electronic means.
- Excepted products
- Medical devices.
- Civil aviation.
- Motor vehicles and trailers.
- Interoperability of electronic road toll systems.
- Assessment
Assessments are carried out by reviewing assessment cases, and not all assessment cases may be provided for each mechanism:
Conceptual assessment. Examine whether the documentation and justification provided adequately provides the required evidence (for example, the justification why a mechanism is not applicable for a specific network interface).
- Decision trees
The standards provide decision trees to assist in decision making and evaluation to provide clear direction.
Decisions must be made for each of the specified elements, for example, when checking the applicability of a requirement on external interfaces, then the decision whether the suitability requirement and all additional subrequirements should be satisfied is determined for each external interface in a manner independent.
Functional Integrity assessment. Examine and test the completeness of the documentation provided (for example, use network scanners to verify that all external interfaces are properly identified, documented, and evaluated).
Functional Sufficiency Assessment. Examine and test the adequacy of the implementation (for example, run fuzzing tools on a network interface to test whether it is resistant to malformed data attacks).