For manufacturers of wireless products and components

Understanding and Complying with the RED 3.3 Directive for Products with Wireless Capabilities

WEBINAR on DEMAND | IoT

Image in image block

For Manufacturers of products with wireless capabilities

Are you a manufacturer of products with wireless capabilities like NFC, Wi-Fi, or Bluetooth? If so, pay close attention. The EU Directive for Radio Equipment (RED 3.3) will bring significant changes to the market, and you need to act now to ensure your products meet the new cybersecurity requirements by August 2025.

Watch the webinar on demand to gain a comprehensive understanding of RED 3.3 and learn how to become compliant. Your hosts, Hugo Lenssen, Program Manager at RDI, the Dutch Authority for Digital Infrastructure; Michael Beine, Business Unit Manager Cybersecurity at Bureau Veritas; and Jasper Nota, Senior Security Specialist at Secura, will guide you through the essentials.

WATCH THE REPLAY HERE

Intended Audience

This webinar is designed for manufacturers of products with wireless capabilities. It is particularly relevant for product managers, R&D managers, engineers, and compliance managers who need to understand the implications of RED 3.3 on their products and components.

WHAT YOU WILL LEARN

During this session, our experts will guide you through the essentials of RED 3.3, including:

  1. What impact do the RED 3.3 regulations have on your products?
  2. Which devices are in scope of RED 3.3?
  3. What is the compliance timeline?
  4. What are the steps to achieve compliance?

By the end of the webinar, you will have a clear understanding of RED 3.3, know if your products or components are in scope, and understand the steps needed to become compliant.

WATCH THE REPLAY HERE

Highlight-image

Key takeaways

1. Significance and Scope of RED 3.3 Compliance:

  • The RED (Radio Equipment Directive) 3.3 regulations will become mandatory by August 2025, impacting manufacturers of products with wireless capabilities such as NFC, Wi-Fi, and Bluetooth. The directive focuses on ensuring cybersecurity and data privacy for wireless devices, covering aspects like encryption, firmware updates, and preventing unauthorized access.
  • Compliance involves multiple stakeholders, including manufacturers, test labs, notified bodies, and market surveillance authorities. Each has a role in ensuring that the products meet the regulatory standards before being placed on the market. Notably, products already in the hands of users are excluded, but any new or modified products sold after August 2025 must comply.

2. Compliance Procedure and Standards:

  • The compliance process under RED 3.3 includes several steps: initial awareness, health check or gap analysis, conceptual and functional assessment, and finally, obtaining certification. This process typically takes six to nine months, emphasizing the urgency for manufacturers to start now to meet the deadline.
  • Manufacturers can use various standards to demonstrate compliance, such as ETSI EN 303 645 for IoT consumer products, IEC 62443 for industrial automation, and the upcoming EN 18031, which will allow self-assessment once harmonized by the EU. The involvement of test labs and notified bodies is crucial for standards that require third-party validation.

3. Challenges and Practical Examples of Vulnerabilities:

  • The webinar highlighted common vulnerabilities found during assessments, such as insecure debug interfaces on security cameras, insecure storage of sensitive information of wireless credentials on smart lights, and command injection vulnerabilities in industrial routers. These examples highlight the importance of physical and network security in preventing full fleet compromises. Vulnerabilities are not device specific, these are just some examples encountered during testing.
  • Manufacturers are advised to adopt a risk management approach, rather than treating compliance as a simple checklist. This involves thorough testing and continuous monitoring for vulnerabilities, ensuring that devices remain secure throughout their life-cycle.
    These takeaways stress the importance of early preparation, understanding the regulatory framework, and adopting a comprehensive security approach to comply with RED 3.3.

WATCH THE REPLAY HERE

ABOUT THE SPEAKERS

Hugo Lenssen, Program Manager at Rijksinspectie Digitale Infrastructuur

Hugo Lenssen is the Program Manager for Digitally Safe Products at the Dutch Authority for Digital Infrastructure (RDI). With extensive experience in government regulatory frameworks, he focuses on developing and enforcing legislation to ensure that everyday consumer products are digitally secure, always putting the user and customer first.

Quote by

Michael Beine, Business Unit Manager Cybersecurity at Bureau Veritas

Michael Beine is the Business Unit Manager for Cybersecurity at Bureau Veritas Consumer Products Services. With over 22 years of experience, he manages a team of cybersecurity specialists providing training, consulting, testing, and certification services. Michael is also an auditor for IEC 62443 under the IECEE CB scheme, with extensive expertise in IoT and cybersecurity.

Quote by

Jasper Nota, Cybersecurity Specialist at Secura,

Jasper Nota is Senior Security Specialist at Secura with a specialization in IoT and cybersecurity assessments. As part of the product manufacturers market group, he conducts security evaluations for embedded systems, Android/iOS applications, and web applications. Jasper also leads certification projects for various IT products based on international and local Dutch standards, including CC, BSPA, IEC 62443, and ETSI EN 303 645.

Quote by

ABOUT SECURA/BUREAU VERITAS

Secura is a leading expert in cybersecurity. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.