Updated EU Radio Equipment Directive (RED) Impacting Industrial and IoT Manufacturers

The 10-year-old European Union (EU) Radio Equipment Directive 2014/53/EU (RED) was recently updated (through a Delegated Act (DA) procedure) with new Articles (3(3)(d), (e), and (f) to expand protection from a personal data protection and privacy perspective, as well as to enhance cybersecurity requirements to avoid network misuse/degradation and to protect from fraud. EU RED is an EU regulatory instrument for harmonizing across member states basic requirements for radio equipment (covering the use of radio spectrum, electromagnetic compatibility, health and safety, etc.). These new requirements are targeted at radio equipment manufacturers, and specifically at their incorporation of security safeguards during the design and manufacturing process. While the DA was meant to come into force in August 2024, this was pushed back by a year, as not all member states had implemented the relevant instruments needed for harmonized compliance.

Regardless of the delays from a regulatory perspective, a number of Original Equipment Manufacturers (OEMs) have already started early certification with the new security articles. Both SolarEdge and Quectel recently made announcements to that effect in October 2024. SolarEdge Technologies, a provider of smart energy technologies, has certified its portfolio of Photovoltaic (PV) inverters with Kiwa. Its PV inverters use wireless connectivity (Wi-Fi) for solar energy systems (that can be used in the home or elsewhere). Similarly, Quectel Wireless Solutions, which operates in the Internet of Things (IoT) solutions space, stated that its EG91-EX Long Term Evolution (LTE) Cat 1 module has been certified by TÜV SÜD. The modules are used for low-power Machine-to-Machine (M2M) and IoT applications leveraging LTE (cellular) networks, including smart metering, asset tracking, wearables, environmental monitoring, security systems, etc.

Interestingly, Quectel also offers Software Bill of Materials (SBOM) generation for its IoT modules, offering another level of security visibility in addition to the EU RED requirements. Although not currently mandated by law, SBOMs are increasingly the focus of policy directives and future regulation, especially in the United States (Executive Order (EO) 14028) and in the proposed EU Cyber Resilience Act (Article 37). Coupling SBOMs with certified security integration in hardware design and manufacture is likely to become an increasingly desirable proposition for end users, providing visibility and a clear understanding to those buyers of the hardware and software supply chain, an advantage in the fight against increased supply chain attacks and regulatory compliance requirements.

Early certification with the EU RED DA provides a competitive edge to those manufacturers, and this is key in the particularly fast growth markets in the IoT and energy that are highly attractive targets for threat actors. The success of those technologies, and the uptake of the markets they service, lies in part with the trustworthiness of their underlying makeup. If they are easily misused or hijacked, the value as a product plummets. And this is without taking into account fallout related to a data breach or network degradation. The EU has a proven track record in setting global standards in cybersecurity regulation. With the update to the RED, it seeks to foster a more resilient environment for radio equipment—that critical piece of technology that allows ubiquitous connectivity. Those vendors that can already provide assurances, through certification, that they are meeting those requirements will be able to cement their position as purveyors of trustworthy connectivity products. For those OEMs that are targeting the EU market with connectivity products, the time is now to look at compliance, in order to ensure they stay relevant in a highly dynamic market. Adding other functionalities such as SBOMs would be a way to distinguish themselves from other vendors, and really compete in the top tier of trustworthy hardware manufacturers.