The Radio Equipment Directive is changing. In 2021, an addendum was made to add cybersecurity requirements. These come into force in August 2025, so you have just under a year to meet them.
Based on an average of product development cycles, it means you need to start making the changes now. The update specifically affects devices connected to the internet, either directly or via other equipment.
(So, if your product is standalone and has no internet connectivity, then you can stop reading now, relax, and have a coffee – you’re good).
If, however, your product sends or receives data via Wi-Fi, Thread, Zigbee, Sigfox, LPWPAN, 2G, 3G, 4G, 5G, NB-IoT, LTE-M or has a wired connection to a modem… then read on.
This is ME – our product(s) are sold only in the UK
As you’re probably aware, Brexit caused some legislation divergence, for example the European Radio Equipment Directive (RED) was replaced in the UK by the Radio Equipment Regulations.
The regulations haven’t been updated to include cybersecurity requirements in the same way as RED. Instead, the UK has a new regime for cybersecurity: the Product Security and Telecommunications Infrastructure Act 2022, or PTSI for short.
If your devices connect directly to the Internet using an Internet Protocol such as TCP/IP or UDP/IP – or if they can be connected via another network to send and receive data between themselves and one of those devices can connect to the Internet, they are in the scope of the PSTI.
This means that short-range radio devices (SRD) operating on an ISM (Industrial, Scientific, and Medical) frequency band aren’t subject to the requirements of PSTI. However, as soon as one of those devices can connect to an internet-connected device, the short-range devices fall into scope.
(Keep a look out on our LinkedIn page for a deep dive into PSTI and UKCA, coming soon)
This is ME – our product(s) are sold across the EU
Three new European standards have been published for products sold or placed on the market within the EU.
However, these have not yet been cited in the Official Journal of the EU (OJEU). Until they are cited and become a harmonised standard, you will need a notified body to confirm compliance with the updated Radio Equipment Directive.
Timing here is important.
Commission delegated regulation (EU)2022/30 of 29 October 2021 takes effect on 1 August 2025 after being pushed back by a year. The relevant standards were made available on 14th August 2024; the process of publishing them in OJEU is ongoing.
The current date for formally announcing the existence of the standard is 30th November 2024, and then onto publication into OJEU on 28th February 2025. Fortunately, these dates are well before the 1 August 2025 date. So, there will likely be no further changes to the standards soon.
Prudent manufacturers can now confidently begin work streams to ensure product compliance requirements can be met. The standards’ requirements may affect hardware, firmware, and software.
So, it would be wise to take action now – rather than wait until too late.
Does it apply to me?
The change applies to any product that connects to the Internet, whether directly or via other equipment. All products that can ultimately connect to the Internet are known as Internet-connected radio equipment.
Some examples are:
- Equipment that uses radio technology for communication over the internet such as mobile phones, tablets, electronic cameras, telecommunication equipment
- Devices that can communicate or transmit data through IoT devices
- Toys and childcare equipment, such as baby monitors
- Wearable devices such as smartwatches or fitness trackers
- Connected industrial devices and many more
The updated regulations don’t apply to standalone radio systems. As soon as any element of that system can connect to the Internet, it falls into scope.
All IoT (Internet of Things) devices are in scope, as are all radio devices that connect to a hub or base station with Internet connectivity capabilities.
Devices falling under the following regulations are not within scope as they have their own sets of requirements:
Regulation (EU) 2017/745 – medical devices
Regulation (EU) 2017/746 – in vitro diagnostic medical devices
Regulation (EU) 2018/1139 – aviation
Regulation (EU) 2019/2144 – motor vehicles
Directive (EU) 2019/520 – electronic road toll systems
What are the relevant standards?
- EN 18031-1:2024 Common security requirements for radio equipment. Internet-connected radio equipment.
- EN 18031-2:2024 Common security requirements for radio equipment. Radio equipment processing data, namely Internet-connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment.
- EN 18031-3:2024 Common security requirements for radio equipment. Internet-connected radio equipment processing virtual money or monetary value.
Still unsure?
If you’re still feeling a little overwhelmed and not sure where this leaves you – you can always reach out to us on 0115 772 2825 or drop us an email at enquiries@ignys.com.
We’ll arrange for one of our tribe to have a no-nonsense, non-salesy chat to see if we can clarify things for you.
We’re always friendly and it puts you under no obligation, we love talking shop.