EU: Cybersecurity Standardization for Radio Systems

CEN, CENELEC, ETSI and ISO/IEC - an important classification

Cybersecurity and information security requirements are becoming more and more prevalent. At the same time, the requirements are becoming more complex and diverse. We would therefore like to report on the products and current developments of the various standardization organizations in this area. 

On October 29, 2021, additional essential requirements for radio equipment for activation were announced, which, after an extension by the EU Commission, will be binding from August 1, 2025, (!). 

In addition to the already known essential requirements on health and product safety in Article 3 (1) a), electromagnetic compatibility in Article 3 (1) b) and the radio spectrum in Article 3 (2), three subparagraphs of Article 3 (3) will now be activated. 
 


CEN/CENELEC


There are to be three standards in the Official Journal of the EU which are to provide presumption of conformity for the new information security requirements within the Radio Equipment Directive. CEN/CENELEC has been given the mandate to draw up the standards. 

Three draft standards are currently circulating for comment among the parties involved. 

  • Common safety requirements for radio equipment connected to the Internet are dealt with in EN 18031-1. 
     
  • Common security requirements for devices that process personal data are covered in EN 18031-2. 
     
  • Common security requirements for Internet-connected radio equipment processing virtual money or monetary values are covered in EN 18031-3. 

The three drafts are very extensive with over 120 pages each.

 


ETSI


Before CEN/CENELEC had received the mandate for standardization, ETSI, the third European Standardization Organization (ESO) in the group, had already submitted a standard: ETSI EN 303 645

ETSI EN 303 645 even goes beyond the scope of the RED, as ETSI EN 303 645 not only covers product-related requirements, but also process-related requirements for the manufacturer.

(!) However, ETSI EN 303 645 will not be included in the Official Journal of the EU and therefore does not give rise to a presumption of conformity. 

The relevance of this standard is underlined not least by the fact that manufacturers of "IoT products for consumers" can be tested and certified in accordance with ETSI EN 303 645 as part of the IECEE-CB procedure. This is unusual, as the assessment is normally based on IEC standards.
 


IEC


Another family of standards is already used in the context of machinery and industrial automation: The IEC 62443 series. The family of standards currently consists of 19 standards publications and drafts, which are assigned to 6 groups. The individual standards can contain process requirements and technical requirements. 

Members of this family of standards would also be candidates to assess the information security requirements of the Radio Equipment Directive. 

Over this year, ETSI has made an important contribution with a technical specification: ETSI TS 103 929 V1.1.1 (2023-02)

This document compares the information security requirements in RED Articles 3(3)(d), 3(3)(e) and 3(3)(f) with two standards:

  • IEC 62443-4-2

IT security for industrial automation systems, part 4-2: Technical security requirements for components of industrial automation systems (IACS)

  • ETSI EN 303 645

Cybersecurity for the Internet of Things for consumers: Basic requirements
 


ISO/IEC


For the sake of completeness, we would like to mention the ISO/IEC 27000 series at this point. Anyone who wants to set up an information security management system (ISMS) in a company cannot avoid this series. For example, the "IT- basic protection" standard from the German Federal Office for Information Security (BSI) is compatible with the ISO/IEC 27001 standard.

For the world of connected products, ISO/IEC 27400:2022 (Cybersecurity - IoT security and privacy - Guidelines) was published in June 2022, which has now been supplemented by ISO/IEC 27402 (Cybersecurity - IoT security and privacy - Device baseline requirements) in November 2023. 

The publications of the ISO/IEC JTC 1/SC 27 (Information security, cybersecurity, and privacy protection) committee are definitely worth a look. 

 

Recommendation

The three draft standards in the EN 18031-x series are not currently available to the general public. 

The three drafts are expected to be made available to the public in January 2024. The current schedule envisages that the standards will then be published by June 30, 2024. We recommend that manufacturers of radio products familiarize themselves with the drafts at an early stage, as the notified bodies will refer to them.

As long as the three standards in the EN 18031-x series are not available to the general public, we recommend basing information security measures on the existing ETSI EN 303 645.

It is also advisable to keep an eye on IEC 62443-4-2, as this standard and other members of the IEC 62443-x-x family of standards are likely to be considered in the context of the Cyber Resilience Act (CRA). The standards in the EN 18031 series are also to be listed for the Cyber Resilience Act (CRA) for radio equipment.

If the listing of the technical standards EN 18031-1, EN 18031-2 and EN 18031-3 does not appear in the Official Journal of the EU until after August 1, 2025, the conformity assessment must be carried out with a notified body, i.e., with EU type examination. 

 

If you have any questions on this topic, please do not hesitate to contact us!

 

Author

Benjamin Kerger (B. Eng.)

Product Compliance Consultant

Published on 01.12.2023
Category: Cybersecurity, Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Compliance

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
GLOBALNORM News
Our Christmas campaign “donate rather than send” 2024

Charity instead of Christmas cards

Read more

Awarded as an entrepreneur of the future 2024

First of all: The German Innovation Institute for Sustainability and Digitalization (diind) is a Hamburg-based institution that brings together science and business to provide communication and marketing managers with reliable, high-quality information.

Read more

Produktkanzlei and GLOBALNORM

Offering customers 360° service

Read more

STANDARDS News
Common specifications (GS) of the EU

Alternative solution if no harmonized standards are available

Read more

New development on the "Malamud" case and free provision of standards

ISO and IEC file suit against the European Commission

Read more

The new DIN EN IEC 31010:2024-12 for risk assessment

Risk management - Risk assessment procedures (IEC 31010:2019); German version EN IEC 31010:2019

Read more

COMPLIANCE News
Radio standards to be removed from the EU Official Journal

Technology neutrality. Strategy of the EU Commission

Read more

China: Extension of the "China RoHS"

New substances from 2026

Read more

EU: RoHS exemptions update

Expiry of lead exemptions and new exemptions overview

Read more

Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK