RED-DA Regulations and Standards EN 18031

With the arrival of the Internet of Things (IoT) era, IoT devices are now ubiquitous in our lives. While they offer convenience in daily life and work, they also provide hackers with a fertile ground for launching cyberattacks. Therefore, the security of IoT products is a pressing issue that manufacturers must address.

Cybersecurity impacts many aspects of life, from everyday personal matters to national and geopolitical concerns. Governments around the world are increasingly prioritizing the development of cybersecurity capabilities and are introducing various laws and standards related to cybersecurity.

What is RED-DA?

In January 2022, the EU launched the RED-DA supplementary directive, RED Delegated Regulation (EU) 2022/30. This directive builds upon the Radio Equipment Directive (RED) (2014/53/EU) released in May 2014, and introduces mandatory provisions regarding cybersecurity for radio equipment. The mandatory enforcement date is August 1, 2025. The directive includes three main points:

1. Article 3.3(d)  

   Original text:  

   “Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service.”  

   Translation:  

   Radio equipment must not harm the network or other functions of the network and must avoid misusing network resources to prevent unacceptable degradation of service.  

   Regulatory interpretation:  

   Network security measures must be strengthened for devices that can connect to the network, focusing on aspects like user access control, user authentication, security updates, and secure communication.

2. Article 3.3(e)  

   Original text:  

   “Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected.”  

   Translation:  

   Radio equipment must have security safeguards to ensure the protection of personal data and privacy of users and subscribers.  

   Regulatory interpretation:  

   For devices that process personal data, traffic data, or location data, enhanced network security measures are required, such as user information collection notifications, privacy statements, log records, and access control to privacy data.

3. Article 3.3(f)  

   Original text:  

   “Radio equipment supports certain features ensuring protection from fraud.”  

   Translation:  

   Radio equipment must have capabilities to prevent financial fraud.  

   Regulatory interpretation:  

   Devices that involve financial transactions, whether with cash or virtual currency, must meet anti-fraud requirements, such as using encryption, confidentiality mechanisms, and integrity protection mechanisms, and preventing data leaks like credit card information or transaction passwords.

RED-DA Coverage

RED-DA is a mandatory regulation for cybersecurity in radio equipment, covering a wide range of devices, including but not limited to the following:

- Electronic devices: Smartphones, tablets, digital cameras, etc.;

- Telecommunications devices: Routers, switches, and other network communication equipment;

- IoT devices: Smart home devices, smart industrial control devices;

- Toys and childcare devices: Baby monitors, etc.;

- Wearable devices: Smartwatches, fitness trackers, etc.;

- Special industry equipment: Automotive electronics, drones, road management systems (only applicable to en 18031-1);

- Financial transaction products: POS machines, other financial terminals;

- Smart alarm devices: Automatic alarm systems with wireless functions.

Exemption Scope

- Medical devices: Devices covered by Regulation (EU) 2017/745 and (EU) 2017/746;

- Special industry equipment: Devices covered by Regulation (EU) 2018/1139 for drones, Regulation (EU) 2019/2144 for motor vehicles and parts, and Directive (EU) 2019/520 for road tolling systems (only exemptions for EN 18031-2 and -3, -1 still applies).

Introduction to EN 18031 Standards

In this context, the EU released the prEN 18031 Draft standard for the RED-DA cybersecurity directive in February 2024, and the final version of EN 18031 was published in August. The EN 18031 series consists of three parts:

- EN 18031-1:  

  Covers RED Directive Article 3.3(d), applicable to any radio equipment that communicates over the internet. It focuses on the impact of radio equipment on the network and the rational use of network resources. It requires devices not to harm the network or its operation, nor misuse network resources to severely impact services.

- EN 18031-2:  

  Corresponds to RED Directive Article 3.3(e), applicable to devices that handle personal data, traffic data, and location data. It focuses on protecting user and subscriber personal data and privacy.

- EN 18031-3:  

  Relates to RED Directive Article 3.3(f), applicable to connected radio equipment that allows holders or users to transfer money, currency value, or virtual currency. It ensures the security of devices in handling financial operations.

JJR Standard Evaluation Testing Process

Testing Steps:

1. Sample and Documentation Preparation:  

   - Prepare 2-3 samples (main unit and accessories).  

   - Provide firmware and test files.  

   - User manual/operation and installation guide.  

   - Complete Intake form (DUT includes ICS and IXIT forms).

2. Test Environment Setup:  

   - Set up the simulation test environment according to the user guide.

3. Initial Testing:  

   - Conduct document review and technical testing, and provide an initial testing report on-site.

4. Issue Resolution:  

   - PoC/tools provided by JJR.  

   - Email and phone consultation services are available.  

   - Submit verification once issues are resolved.

5. Verification Testing:  

   - Confirm whether the issues listed in the resolution checklist have been fixed and provide verification results.

6. Final Report and Submission to NB:  

   - Issue the final report and submit the standard, client, and laboratory records.  

   - Submit the report to the NB organization.

JJR Standard Cybersecurity Capabilities

JJR has a dedicated cybersecurity business line that includes the sales team, project management team, consulting team, and security laboratory. This team is committed to providing high-quality and efficient cybersecurity services to clients.

This translation maintains the structure and clarity of the original content while ensuring the technical terms are correctly conveyed in English.