Cybersecurity and information security requirements are becoming more and more prevalent. At the same time, the requirements are becoming more complex and diverse. We would therefore like to report on the products and current developments of the various standardization organizations in this area.
On October 29, 2021, additional essential requirements for radio equipment for activation were announced, which, after an extension by the EU Commission, will be binding from August 1, 2025, (!).
In addition to the already known essential requirements on health and product safety in Article 3 (1) a), electromagnetic compatibility in Article 3 (1) b) and the radio spectrum in Article 3 (2), three subparagraphs of Article 3 (3) will now be activated.
CEN/CENELEC
There are to be three standards in the Official Journal of the EU which are to provide presumption of conformity for the new information security requirements within the Radio Equipment Directive. CEN/CENELEC has been given the mandate to draw up the standards.
Three draft standards are currently circulating for comment among the parties involved.
- Common safety requirements for radio equipment connected to the Internet are dealt with in EN 18031-1.
- Common security requirements for devices that process personal data are covered in EN 18031-2.
- Common security requirements for Internet-connected radio equipment processing virtual money or monetary values are covered in EN 18031-3.
The three drafts are very extensive with over 120 pages each.
ETSI
Before CEN/CENELEC had received the mandate for standardization, ETSI, the third European Standardization Organization (ESO) in the group, had already submitted a standard: ETSI EN 303 645.
ETSI EN 303 645 even goes beyond the scope of the RED, as ETSI EN 303 645 not only covers product-related requirements, but also process-related requirements for the manufacturer.
(!) However, ETSI EN 303 645 will not be included in the Official Journal of the EU and therefore does not give rise to a presumption of conformity.
The relevance of this standard is underlined not least by the fact that manufacturers of "IoT products for consumers" can be tested and certified in accordance with ETSI EN 303 645 as part of the IECEE-CB procedure. This is unusual, as the assessment is normally based on IEC standards.
IEC
Another family of standards is already used in the context of machinery and industrial automation: The IEC 62443 series. The family of standards currently consists of 19 standards publications and drafts, which are assigned to 6 groups. The individual standards can contain process requirements and technical requirements.
Members of this family of standards would also be candidates to assess the information security requirements of the Radio Equipment Directive.
Over this year, ETSI has made an important contribution with a technical specification: ETSI TS 103 929 V1.1.1 (2023-02).
This document compares the information security requirements in RED Articles 3(3)(d), 3(3)(e) and 3(3)(f) with two standards:
- IEC 62443-4-2
IT security for industrial automation systems, part 4-2: Technical security requirements for components of industrial automation systems (IACS)
- ETSI EN 303 645
Cybersecurity for the Internet of Things for consumers: Basic requirements
ISO/IEC
For the sake of completeness, we would like to mention the ISO/IEC 27000 series at this point. Anyone who wants to set up an information security management system (ISMS) in a company cannot avoid this series. For example, the "IT- basic protection" standard from the German Federal Office for Information Security (BSI) is compatible with the ISO/IEC 27001 standard.
For the world of connected products, ISO/IEC 27400:2022 (Cybersecurity - IoT security and privacy - Guidelines) was published in June 2022, which has now been supplemented by ISO/IEC 27402 (Cybersecurity - IoT security and privacy - Device baseline requirements) in November 2023.
The publications of the ISO/IEC JTC 1/SC 27 (Information security, cybersecurity, and privacy protection) committee are definitely worth a look.
Recommendation
The three draft standards in the EN 18031-x series are not currently available to the general public.
The three drafts are expected to be made available to the public in January 2024. The current schedule envisages that the standards will then be published by June 30, 2024. We recommend that manufacturers of radio products familiarize themselves with the drafts at an early stage, as the notified bodies will refer to them.
As long as the three standards in the EN 18031-x series are not available to the general public, we recommend basing information security measures on the existing ETSI EN 303 645.
It is also advisable to keep an eye on IEC 62443-4-2, as this standard and other members of the IEC 62443-x-x family of standards are likely to be considered in the context of the Cyber Resilience Act (CRA). The standards in the EN 18031 series are also to be listed for the Cyber Resilience Act (CRA) for radio equipment.
If the listing of the technical standards EN 18031-1, EN 18031-2 and EN 18031-3 does not appear in the Official Journal of the EU until after August 1, 2025, the conformity assessment must be carried out with a notified body, i.e., with EU type examination.
If you have any questions on this topic, please do not hesitate to contact us!
Author
Benjamin Kerger (B. Eng.)
Product Compliance Consultant