Anticipating the Upcoming EU Radio Equipment Directive Cybersecurity Standard

This blog was originally posted on 1st May, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY AARON GREEN, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

Introduction

In June of 2024, CENELEC is expected to issue a harmonized standard for compliance with the impending cybersecurity requirements for devices covered by the EU Radio Equipment Directive (RED). 

In this blog, we provide a summary of a recent paper published in IEEE Xplore on the current state of the art in cybersecurity standards and how it relates to the draft CENELEC standard for radio equipment.

What are the Challenges?

In contrast to the existing ETSI EN 303 645 standard for IoT devices, the goal of the new CENELEC standard is to provide requirements that are broad enough to apply to all equipment covered by the EU Radio Equipment Directive but also specific enough to ensure adequate protection for the covered equipment. This divided goal has presented the drafting body with significant challenges.

These challenges are highlighted by Djebbar and Nordström in their comparative analysis of industrial cybersecurity standards ETSI EN 303 645 v2.1.1 for consumer devices connected to the internet, ISA/IEC 62443-3-3:2019 for industrial automation and control systems, and ISO/IEC 27001:2022 for information security management systems¹. 

The key points of the analysis are as follows:

• ISO 27001 includes all of the general requirements of ETSI EN 303 645, but does not provide for the same level of detail in implementation. The ISO standard can be used to ensure IoT equipment cybersecurity within an organization, but it is not a substitute for ETSI 303 645 for certification purposes.
• ISA 62443-3-3 includes requirements for critical industrial systems with a particular emphasis on physical and technological features, and these critical systems requirements differ in material terms from the ISO and ETSI standards.
• Of the three standards, only ISO 27001 emphasizes the need for cyber resilience and recovery after a successful attack.

Although Djebbar and Nordström do not make any recommendations expressly for the RED standard drafting committee, their conclusions indicate that the present state of the art in cybersecurity standards has enough overlap across industries and device configurations for the committee to provide a unified standard without contradicting existing cybersecurity design practices. This was also the view expressed by CENELEC, suggesting that the new standard will not introduce new technical solutions for cybersecurity, but is likely to provide a more thorough map between equipment and security measures than what exists in the prevailing standards.  

International Adoption

In terms of international adoption, ISO 27001 is the most commonly referenced of the three standards appearing as a framework for numerous cybersecurity plans and policy discussions, while ISA 62443-3-3 is only mentioned in a handful of policy roadmaps. 

ETSI 303 645 has the most practical applications.  It has been adopted as a mandatory baseline for IoT security in the UK² and Brazil³, and as the basis for voluntary certification in the US⁴, Japan, Singapore⁵ and Hungary⁶, as well as codes of practice in India⁷, Australia⁸, Philippines⁹ and Bahrain¹⁰. 

1. https://ieeexplore.ieee.org/document/10210561:  F. Djebbar and K. Nordström, “A Comparative Analysis of Industrial Cybersecurity Standards,” in IEEE Access, vol. 11, pp. 85315-85332, 2023, doi: 10.1109/ACCESS.2023.3303205.
   ↩︎
2. https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksi_20231007_en.pdf ↩︎
3. https://informacoes.anatel.gov.br/legislacao/atos-de-certificacao-de-produtos/2021/1505-ato-77 
   ↩︎
4.  https://www.govinfo.gov/content/pkg/FR-2023-08-25/pdf/2023-18357.pdf ↩︎
5. https://www.csa.gov.sg/docs/default-source/our-programmes/certification-and-labelling-scheme/cls/publications/csa-cybersecurity-certification-guide.pdf?sfvrsn=a486afd5_0 
   ↩︎
6.  https://technical-regulation-information-system.ec.europa.eu/en/notification/25648/text/D/EN 
   ↩︎
7.  https://www.tec.gov.in/pdf/M2M/Securing%20Consumer%20IoT%20_Code%20of%20pratice.pdf ↩︎
8. https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-regulations-incentives ↩︎
9.  https://dict.gov.ph/wp-content/uploads/2024/02/NCSP-2023-2028-FINAL.pdf ↩︎
10. https://tra-website-prod-01.s3-me-south-1.amazonaws.com/Media/Documents/Position_Papers_&_Guidelines/20230227104608563_te52qfeq_g5t.pdf ↩︎

Stay on Top of Cybersecurity Regulations

Want to stay ahead of evolving regulatory developments like the EU Radio Equipment Directive?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Reducing Manual Efforts In Regulatory Impact Assessment

Join us for an insightful webinar where we’ll explore strategies, tools, and best practices for reducing manual efforts in Regulatory Impact Assessment.

watch NOW