Europe gets ready to secure radio devices

Blog

9
- Febr
2022
Posted by: José Ruiz
[Certification]
Europe gets ready to secure radio devices

Cybersecurity in radio equipment and devices is one of the major milestones set by the European Commission for the coming years. Aware of the importance of these devices and their increasing use by citizens, , the creation of a legal framework that defines and harmonises the measures to be complied with by manufacturers wishing to market their products in Europe is a priority.

There are several points of particular concern for the European Commission in terms of security, which can be summarised in four:

  • 5G: A few weeks ago, we explained in our blog "Cybersecurity certification in 5G” the importance of this new technology and how the use of 5G could affect several devices, including a large number belonging to the radio spectrum.

  • Increased cybersecurity risks as a result of the growing use by professionals and consumers, including children, of radio equipment communicating on the Internet.

  • Concerns about protection against damage to the network, protection of personal data and privacy of users and subscribers, as well as protection against fraud.

  • The protection of the cybersecurity of medical devices.

    Therefore just a month ago, Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 was published, supplementing Directive 2014/53/EU on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment that will require certain cybersecurity requirements although these are yet to be determined based on what is agreed in the working groups in charge of standardisation.

    When will it be applicable and what steps must be taken?

    This standard will be applicable from 1 August 2024, so, ESOs (The European Standardisation Organisations) are currently working on its standardisation through some working groups especialised in the different areas that make up the standard. At jtsec we are very proud to be part of the working group that will help to standardise the cybersecurity requirements to be applied in this Directive.

    The next steps to be taken by the organisations and companies involved in the standardisation process, which must be completed by October 1, 2023, are as follows:

  • Receive and process the request for standardisation.

  • Development of the necessary standards.

  • Review of these standards.

  • Approval.

  • Publication of the standards.

    Essential radio equipment manufacturing requirements

    According to this regulation there are several requirements to be met by radio equipment manufacturers who want to market their products/services in the European Union. To this end, radio equipment must be manufactured in such a way as to ensure:

  • The protection of health and safety of persons and of domestic animals and the protection of property, including the objectives with respect to safety requirements set out in Directive 2014/35/EU, but with no voltage limit applying.

  • An adequate level of electromagnetic compatibility as set out in Directive 2014/30/EU.

    Furthermore, radio equipment shall be constructed it both effectively uses and supports the efficient use of radio spectrum in order to avoid harmful interference.

    Therefore, radio equipment falling into certain categories or classes must be manufactured complies with the essential requirements (including certain cybersecurity requirements):

  • The radio equipment interworks with accessories, in particular with common charging devices.

  • The radio equipment interworks via network with other radio equipment.

  • The radio equipment can be connected to interfaces of the appropriate type throughout the Union.

  • The radio equipment does not harm the network and its functioning, nor misuse network resources in a way that causes unacceptable degradation of service.

  • The radio equipment incorporates safeguards to ensure the protection of personal data and user and of the subscriber are protected.

  • The radio equipment supports certain features ensuring protection from fraud.

  • The radio equipment supports certain features ensuring access to emergency services.

  • The radio equipment supports certain features in order to facilitate its use by users with disability.

  • The radio equipment is compatible with certain features ensuring that software can only be loaded into the radio equipment/software where the compliance of the combination of the radio equipment and software has been demonstrated.

    Conclusions

    Although we still do not know certainly the cybersecurity requirements that will be included in the future Directive, and that manufacturers should integrate into the life cycle of their products, we can feel that they will not be very different from certain standards currently in use, such as IEC 62443-4-1 or IEC62443-4-2 or ETSI.

    These standards, aimed at the industrial sector, can serve as a guide for manufacturers to get an idea of what type of cybersecurity requirements can be applied to their equipment/products

    • tags
    José Ruiz/CTO

    Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

    In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES