zum Inhalt springen
Contact

    Radio Equipment Directive (RED)

    Tags:

    New EU regulation – mandatory from August — NTC supports

    There is currently a lot of discussion about the imminent introduction of new EU regulations, such as the Cyber Resilience Act (CRA), which regulates the cybersecurity of products with digital elements, or the NIS2 (network and information systems) Directive, which defines cybersecurity requirements for operators of critical infrastructure. These directives are currently being transposed into national law in various EU countries. Although Switzerland, as a non-EU country, is not directly affected, Swiss companies that operate in the EU must comply with these requirements from the time they come into force.

    The Radio Equipment Directive also applies to Switzerland 

    In addition to CRA and NIS2, there is another, often less noticed regulation: the Radio Equipment Directive (RED) (2014/53/EU). Unlike the previously mentioned regulations, this one has been implemented in Swiss legislation and is therefore applicable in Switzerland for devices with radio interfaces. Compliance is enforced by the Federal Office of Communications (OFCOM).
     
    Originally introduced in 2014, the RED has been continuously expanded, most recently in 2022 with new cybersecurity requirements for internet-enabled devices with a radio interface. The new requirements will come into force on 1 August 2025 and will apply to devices newly placed on the market from that date. This will affect numerous product categories, including IoT devices, connected vehicles, Industry 4.0 applications and smartphones. 

    The broad scope of the RED is interesting: for instance, the directive also regulates the EU-wide introduction of the universal USB-C charging port for devices with radio components.

    Strict cybersecurity regulation for certain radio equipment

    The "RED Cybersecurity Guidelines" defined in Article 3.3 (d, e, f) of the RED are described in more detail in the harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3, with their testing criteria specified. The titles of the standards are as follows:

      • EN 18031-1: Internet connected radio equipment
      • EN 18031-2: radio equipment processing data, namely internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
      • EN 18031-3: Internet connected radio equipment processing virtual money or monetary value.
        The standards define numerous meaningful requirements, including secure mechanisms for access and authentication , updates, storage, logging and monitoring capabilities. 

      NTC finds numerous violations 

      The National Test Institute for Cybersecurity NTC tested a sample of networked devices such as an alarm system (EN 18031-1 because "radio equipment with Internet connection"), several children's smartwatches (EN 18031-2 because " childcare radio equipment " and "wearable radio equipment") and several baby monitors (EN 18031-2 because " childcare radio equipment "). The vast majority of the devices tested did not comply with the cybersecurity requirements that will come into force on 1 August 2025.

      2025-ntc-labor

      The sample is not representative and includes rather low-cost than high-end products. However, these are devices obtained through the common and established distribution channels in Switzerland. The results of the sample indicate an urgent need for action, especially with the new RED cybersecurity guidelines coming into force in a few months. Default access credentials such as “admin” or “1234”, lack of firmware update options, updates only for the first 1-2 years or unencrypted communication with the provider's cloud must be a thing of the past. In the event of non-compliance, OFCOM can impose measures such as fines or market bans.
       
      NTC to conduct more cybersecurity tests 

      In the interest of the Switzerland’s security and digital sovereignty, the NTC welcomes the new, stricter requirements and will continue to proactively analyze the cybersecurity of digital products on its own initiative. The NTC can easily source and analyze networked products via the online retailer Digitec Galaxus. It significantly facilitates the NTC’s work and underlines Digitec Galaxus' commitment to better and safer products. In the event of violations, the NTC informs the manufacturer or importer and, if necessary, the OFCOM in its role as market regulator.