On 29 October 2021, the European Commission (EC) adopted a Delegated Regulation (Regulation (EU) 2022/30) under the Radio Equipment Directive (Directive 2014/53/EU). This delegated regulation...Show moreOn 29 October 2021, the European Commission (EC) adopted a Delegated Regulation (Regulation (EU) 2022/30) under the Radio Equipment Directive (Directive 2014/53/EU). This delegated regulation extends the existing requirements for radio equipment with “cybersecurity by design” requirements. Wireless internet-connected devices must comply with these cyber security requirements from August 2024 as a precondition for placing on the market IoT devices in the EU. The Radio Equipment Directive (RED) essential cyber security requirements objectives are to protect the network, ensure safeguards for the protection of personal data and privacy and contribute towards protection from fraud. The RED cyber security product legislation is part of the New Legislative Framework (NLF). The NLF establishes common procedures for placing products on the EU market. Its goals are establishing a proper functioning of the internal market and a high level of public interest protection. It contains common methodologies for product requirements via essential requirements, demonstration of compliance by manufacturers and monitoring of the compliance by supervisory authorities. In line with the NLF approach, the RED essential cyber security requirements set “objectives to be achieved” but do not impose technical solutions. A formal standardisation process exists in which essential requirements are converted to technical solutions in harmonised standards. The realization of this process is the responsibility of a specific joint committee of the multistakeholder standardisation organisations CEN (The European Committee for Standardization) and CENELEC (The European Committee for Electrotechnical Standardization CENELEC). The EC requires, in its EC standardisation request, that technical solutions (to be included in the harmonized standards for IoT devices) are proportional to the cyber security risk they aim to address. However, the RED legislation and the EC standardisation request do not provide information on accomplishing this. Moreover, there is currently no harmonised standard available for the cyber security of products that can serve as an example for the harmonised standards to be developed in support of the RED cyber security essential requirements. This thesis develops a model that can be used in standardization activities for the RED to determine whether technical solutions in harmonised standards for IoT devices are proportionate to the risk they aim to address. The developed model is referred to as the “RED cyber security management system” The model maps the RED processes in three layers. The Risk Governance layer maps the legislators' processes regulating the cyber risks of IoT devices. The Risk Management layer maps processes that members of standardization organizations perform in the development of RED harmonized standards. The Risk Assesment layer maps the processes for selecting technical solutions for RED harmonized standards. This thesis proposes to incorporate the ISO 27005 Risk Management framework and the Open FAIR Risk Assesment framework in the “RED cyber security management system”. The developed “RED cyber security management system” has shown to be beneficial for linking technical requirements to IoT devices. It was shown in a simple IoT scenario that the model could be used to determine the applicability of authentication and access control mechanism requirements for IoT devices.Show less
