On January 12, 2022, the Official Journal of the European Union published Delegated Regulation (EU) 2022/30, with regard to enforcing RED Cybersecurity Requirements in Article 3.3(d), (e) and (f). The regulation increases cybersecurity, personal data privacy and protection from fraud for applicable wireless devices placed on the EU market. It came into effect February 1, 2022, and becomes mandatory August 1, 2024.
RED Article 3.3 Cybersecurity Scope
The new regulation applies to “internet-connected radio equipment”, whether the equipment connects directly via the internet or via any other equipment, which must:
(d) not harm the network or its functioning or misuse network resources, thereby causing an unacceptable degradation of service
(e) incorporate safeguards to ensure that the personal data and privacy of the users and subscribers are protected
(f) support certain features ensuring protection from fraud
Examples of products covered under the new regulation are:
-
- mobile phones, tablets and laptops
- wireless toys and radio equipment for childcare such as baby monitors
- wearable radio equipment such as smartwatches, headsets and fitness trackers
What can manufacturers do now?
The regulation establishes essential requirements that must be followed in relation to the design and manufacture of certain radio equipment. Although IoT providers have 2.5 years to adapt their products to the new compliance restrictions, it is not too early to begin integrating the minimum cybersecurity, privacy, and fraud prevention requirements now.
Currently, no harmonized standards cover the scope of the RED Article 3.3 regulation. However, the standards will be developed with industry participation and assessed by the European Commission and are projected to be in place 10 months before the requirements become mandatory.
For more information on compliance with the new cybersecurity requirements, please contact iCertifi.