Radio Equipment Directive Delegated Act (RED-DA)

Radio Equipment Directive Delegated Act (RED-DA)

As connected technologies become increasingly widespread, they bring significant convenience to users but also escalate cybersecurity risks, which are becoming more complex and diverse. To address these challenges, the European Commission introduced the Radio Equipment Directive Delegated Act (RED-DA) to establish higher safety and performance standards for wireless equipment, enhancing compliance and market adaptability. This act took effect on February 1, 2022, and will become mandatory on August 1, 2025.

 

Scope and Requirements:

RED-DA supplements the Radio Equipment Directive (RED) and establishes three fundamental cybersecurity requirements under Article 3.3(d), (e), and (f):

1.      Article 3.3(d): Network Protection

•       Devices must ensure they do not harm networks or their functionality, nor misuse network resources, to avoid service degradation.

•       Scope: Any wireless device capable of internet communication.

2.      Article 3.3(e): Data and Privacy Protection

•       Devices must include safeguards to protect user personal data, traffic data, and location data.

•       Scope: Devices processing personal, traffic, or location data.

3.      Article 3.3(f): Fraud Prevention

•       Devices must support specific functionalities to mitigate fraud risks, such as secure transfer of currency or virtual assets.

•       Scope: Wireless devices handling monetary or virtual currency transfers.

 

Excluded Devices:

Certain devices are excluded from RED-DA’s scope, including medical equipment, motor vehicles, electronic toll collection (ETC) systems, and remote-controlled drones, as these are regulated under other directives.

 

Harmonized Standards:

The technical requirements of RED-DA correspond to the EN 18031 series of standards, which include:

1.      EN 18031-1: Network Protection

2.      EN 18031-2: Privacy Protection

3.      EN 18031-3: Fraud Prevention

 

These standards categorize assets into security, network, privacy, and financial assets. They reference existing cybersecurity requirements to evaluate device safety, laying a foundation for future RED-DA compliance.

 

Impact and Compliance Requirements:

RED-DA will become mandatory on August 1, 2025, making compliance a prerequisite for manufacturers and brands entering the EU market. Companies must incorporate cybersecurity considerations during product design and production, conduct compliance testing based on relevant standards, and ensure their devices meet regulatory requirements to enhance safety and competitiveness.

 

For products already certified IEC 62443 or ETSI EN 303 645 by TÜV NORD, we provide support tailored to address standard differences, assisting manufacturers in navigating multi-standard and multi-market compliance challenges with confidence.