For manufacturers of wireless products and components
Understanding and Complying with the RED 3.3 Directive for Products with Wireless Capabilities
WEBINAR on DEMAND | IoT
For Manufacturers of products with wireless capabilities
Are you a manufacturer of products with wireless capabilities like NFC, Wi-Fi, or Bluetooth? If so, pay close attention. The EU Directive for Radio Equipment (RED 3.3) will bring significant changes to the market, and you need to act now to ensure your products meet the new cybersecurity requirements by August 2025.
Watch the webinar on demand to gain a comprehensive understanding of RED 3.3 and learn how to become compliant. Your hosts, Hugo Lenssen, Program Manager at RDI, the Dutch Authority for Digital Infrastructure; Michael Beine, Business Unit Manager Cybersecurity at Bureau Veritas; and Jasper Nota, Senior Security Specialist at Secura, will guide you through the essentials.
Intended Audience
This webinar is designed for manufacturers of products with wireless capabilities. It is particularly relevant for product managers, R&D managers, engineers, and compliance managers who need to understand the implications of RED 3.3 on their products and components.
WHAT YOU WILL LEARN
During this session, our experts will guide you through the essentials of RED 3.3, including:
- What impact do the RED 3.3 regulations have on your products?
- Which devices are in scope of RED 3.3?
- What is the compliance timeline?
- What are the steps to achieve compliance?
By the end of the webinar, you will have a clear understanding of RED 3.3, know if your products or components are in scope, and understand the steps needed to become compliant.
Key takeaways
1. Significance and Scope of RED 3.3 Compliance:
- The RED (Radio Equipment Directive) 3.3 regulations will become mandatory by August 2025, impacting manufacturers of products with wireless capabilities such as NFC, Wi-Fi, and Bluetooth. The directive focuses on ensuring cybersecurity and data privacy for wireless devices, covering aspects like encryption, firmware updates, and preventing unauthorized access.
- Compliance involves multiple stakeholders, including manufacturers, test labs, notified bodies, and market surveillance authorities. Each has a role in ensuring that the products meet the regulatory standards before being placed on the market. Notably, products already in the hands of users are excluded, but any new or modified products sold after August 2025 must comply.
2. Compliance Procedure and Standards:
- The compliance process under RED 3.3 includes several steps: initial awareness, health check or gap analysis, conceptual and functional assessment, and finally, obtaining certification. This process typically takes six to nine months, emphasizing the urgency for manufacturers to start now to meet the deadline.
- Manufacturers can use various standards to demonstrate compliance, such as ETSI EN 303 645 for IoT consumer products, IEC 62443 for industrial automation, and the upcoming EN 18031, which will allow self-assessment once harmonized by the EU. The involvement of test labs and notified bodies is crucial for standards that require third-party validation.
3. Challenges and Practical Examples of Vulnerabilities:
- The webinar highlighted common vulnerabilities found during assessments, such as insecure debug interfaces on security cameras, insecure storage of sensitive information of wireless credentials on smart lights, and command injection vulnerabilities in industrial routers. These examples highlight the importance of physical and network security in preventing full fleet compromises. Vulnerabilities are not device specific, these are just some examples encountered during testing.
- Manufacturers are advised to adopt a risk management approach, rather than treating compliance as a simple checklist. This involves thorough testing and continuous monitoring for vulnerabilities, ensuring that devices remain secure throughout their life-cycle.
These takeaways stress the importance of early preparation, understanding the regulatory framework, and adopting a comprehensive security approach to comply with RED 3.3.
ABOUT THE SPEAKERS
Hugo Lenssen, Program Manager at Rijksinspectie Digitale Infrastructuur
Hugo Lenssen is the Program Manager for Digitally Safe Products at the Dutch Authority for Digital Infrastructure (RDI). With extensive experience in government regulatory frameworks, he focuses on developing and enforcing legislation to ensure that everyday consumer products are digitally secure, always putting the user and customer first.
Michael Beine, Business Unit Manager Cybersecurity at Bureau Veritas
Michael Beine is the Business Unit Manager for Cybersecurity at Bureau Veritas Consumer Products Services. With over 22 years of experience, he manages a team of cybersecurity specialists providing training, consulting, testing, and certification services. Michael is also an auditor for IEC 62443 under the IECEE CB scheme, with extensive expertise in IoT and cybersecurity.
Jasper Nota, Cybersecurity Specialist at Secura,
Jasper Nota is Senior Security Specialist at Secura with a specialization in IoT and cybersecurity assessments. As part of the product manufacturers market group, he conducts security evaluations for embedded systems, Android/iOS applications, and web applications. Jasper also leads certification projects for various IT products based on international and local Dutch standards, including CC, BSPA, IEC 62443, and ETSI EN 303 645.
Why choose Secura | Bureau Veritas
At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.
Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.