How Should the Electronics Industry Prepare for the Radio Equipment Directive (RED) and the EU Cybersecurity Resilience Act (CRA)?
Device manufacturers, software suppliers and chip vendors will be aware that they need to prepare for forthcoming cybersecurity regulation. Most of the detailed security requirements are still in development, but when they come into force, they will have a profound effect on the electronics industry.
From the beginning of PSA Certified, the founders have worked together to monitor the ever-changing regulatory landscape surrounding the security of connected devices. The result of this analysis is the latest version of PSA Certified Level 1 (version 3.0) that includes regulatory requirements for UK PSTI, EU CRA and EU RED. This blog covers two of the most prominent regulations emerging in Europe, what they mean for you, and how you can prepare.
What is the Radio Equipment Directive (RED)?
The RED directive will apply to wirelessly connected devices (also referred to as “Radio Equipment” and shortened to “Equipment”) sold in the EU from August 2025. This was originally planned for August 2024, and this is a delay of one year from the previous plan and is to allow for “harmonized” security requirements to be developed by CEN-CENELEC’s JTC 13 Working Group 8 experts. The requirements are expected to be available in the summer of 2024. Since most IoT and connected products integrate wireless radios and network stacks such as WiFi and Thread and most manufacturers will want to sell into Europe, the technical RED requirements will be of great importance to the market. The legislation aims to: improve network resilience, protect consumers’ privacy and reduce the risk of monetary fraud. The technical requirements are expected to focus on baseline cybersecurity requirements that will help safeguard Equipment from basic security attacks. Manufacturers will be able to perform a self-assessment if the product is designed in accordance with a harmonised standard or rely on third-party assessment.
What is the Status of the Radio Equipment Directive (RED)?
Device makers are waiting for the CENELEC’s requirements to be published so that they can design to meet the detailed requirements and tests. To understand what might be in the future harmonized standard we can look at the standardisation request from the EU to CENELEC (see page 14).
As a Device Manufacturer, How Can I Prepare for the Radio Equipment Directive (RED)?
In the latest version of PSA Certified Level 1 we have included a new “Section 7” on regulation. We have included the EU RED requirements (alongside EU CRA and UK PSTI) and use the exact wording from EU’s standardisation request. The PSA Certified JSA members thought this to be the best approach currently available to OEMs who can fill out their responses and showcase that they are getting ready for EU RED. When the harmonized standard for RED becomes available, the plan is to ensure that it, too, is included in a future version of PSA Certified Level 1.
What is the EU Cyber Resilience Act?
The EU Cyber Resilience Act has an even broader scope than RED as it applies to “products with digital elements”. The requirements will cover almost the entire electronics industry in its current draft proposal stage, including chips, software, devices and apps. It considers the lifecycle of products as well as baseline security requirements, for example, asking for five years of updates. Products are split into three categories with varying conformance approaches: self-assessment for non-critical, 3rd party assessment or application of a standard for Critical Class I products, and 3rd party under a national body for Critical Class II products. The draft requirements are functional in style with 12 technical requirements, 8 regarding vulnerability handling and 9 on information.
What is the Status of the EU Cyber Resilience Act?
At the time of writing the EU Cyber Resilience Act has not been passed into law. It is expected to happen soon as the EU institutions, the European Council and the European Parliament reached political agreement on December 3rd 2023. The bulk of the EU CRA requirements will come into force three years after enactment. It is worth noting that the security vulnerability and cyber incident reporting will come into force sooner (possibly before the end of 2025). It will also take some considerable time to establish approved conformity assessment bodies. As in the case of RED, we can expect harmonized technical requirements to be developed by CEN/CENELEC. Whilst we are waiting for these the PSA Certified JSA members have taken the approach to use the exact wording of the requirements in the latest draft of the legislation.
As a Device Manufacturer, How Can I Prepare for the EU Cyber Resilience Act?
The new version of PSA Certified Level 1 includes the EU CRA requirements from Annex 1 and 2 of the legislation. It offers a way for OEMs, software platforms and chip vendors to write their responses to the requirements and have them independently assessed to check for completeness, consistency and sound rationale. As with RED, a sensible approach is for device manufacturers to also adhere to cybersecurity best practices. PSA Certified offers an efficient way to do this that is aligned with both EN 303645 and NIST 8259 as well as the PSA Security Model’s 10 goals.
How Will RED and the EU Cyber Resilience Act Work Together?
It is still being determined how RED directive requirements and EU CRA will play together. Both have harmonized technical requirements that are in development and not yet public. We can hope that EU RED requirements might be a subset of EU CRA, let’s keep our fingers crossed. However, it’s clear that if you are a maker of a connected thermostat with a product in September 2025 you will need to self-assess for RED requirements (currently in development).
What still needs to be clarified is what happens when the EU Cyber Resilience Act becomes law and in force. For example, if you launch another product in September 2027 will you have to do two assessments: one for RED and another for EU CRA? There are some positive signs, as the EU CRA proposal has a section on “interplay” with RED, however it is difficult to know for sure how the interaction will work out in practice.
Of the two initiatives, the urgent one to respond to is the RED directive but we are all waiting for a published version of cybersecurity requirements from CENELEC. EU CRA is on a longer horizon and the publication of the draft enables companies to start preparing. Whilst we are in this “waiting for harmonized standards” period we suggest filling out section 7 of PSA Certified Level 1 v3.0 and checking how well your product complies. Where there are gaps you can start to fill them ahead of legislation coming into force.
How Can PSA Certified Help You Prepare for Legislation?
If you’re new here, you may not know that PSA Certified is an independent security evaluation scheme for IoT and connected chips, system software and devices. Our mission is to make it easier and quicker for the value chain to build secure by design products that start with a hardware Root of Trust and prove it through lab-based assessment.
PSA Certified is maintained by a board of co-founders, who are all committed to monitoring the security landscape to ensure we’re proactively preparing manufacturers for upcoming legislation. As mentioned in the blog, the PSA Certified Level 1 document now includes a “Section 7: Regulation” that covers EU CRA, EU RED and UK PSTI. We have made commitments that our future versions will be updated to track important regulatory requirements (such as EU CRA).
If you would like to find out more about PSA Certified and how it unifies the security requirements from NIST and ETSI head over to our PSA Certified Level 1 landing page here.