Introduction
The Radio Equipment Directive (RED) Delegated Act 2022/30 and Cyber Resilience Act (CRA) are applicable to many products, even those without direct internet access, and while some compliance standards are published and active, others are still being developed. Manufacturers must be compliant to the new RED cyber security rules by August 1st, 2025, to the incident reporting rules of the CRA by September 11th, 2026, and to the full requirements of CRA by December 11th, 2027.
Ezurio is committed to helping our customers by providing information and support on the various elements that we provide to help minimize the time spent securing compliance with RED and the CRA. Here we will provide an outline of the new security requirements of RED and the CRA, and how Ezurio can help you meet compliance.
What are RED and the CRA?
The RED (Directive 2014/53/EU) is an EU legislative framework that sets out essential requirements for selling and operating radio equipment within the European Economic Area (EEA) to ensure its safety, compatibility, and efficient use of the radio spectrum.
The CRA is an EU regulation that aims to improve the cybersecurity of products and services that contain digital elements.
Changes to the RED in RED-DA 2022/30 and the adoption of the CRA will require OEMs to demonstrate compliance to new key security considerations and requirements in order to be sold and used in the European Union.
A more detailed explanation of RED and the CRA can be found in Ezurio’s security portal
What is Summit Suite?
Summit Suite is a range of value-added software components and services that enable our customers to address the security life cycle of advanced connectivity products. Over many years of working alongside our customers, Ezurio has developed enhanced security features and services that mitigate risks to our products, our customer’s devices, and their reputation.
More details on Summit Suite can be found on our dedicated web page.
Security Requirements of RED and the CRA
While RED and the CRA are different standards of security, put forth by different governing bodies, they share many similar requirements related to device security. This is not surprising given that much of what manufacturers can do to build secure devices is based on many years of best practices when it comes to security.
Below is a list of the key security requirements in RED and the CRA, along with the elements provided by Ezurio that can be used as part of a security process to meet these requirements.
Device Access Control and Authentication
Requirements
RED 3.3d, per EN18031-1
[ACM-1]: “The equipment shall use access control mechanism to manage entities' access”
[AUM-1]: “Access control mechanisms […] shall use authentication mechanisms to managing entities' access via network interfaces”
CRA (Annex 1.1)
“Products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems.”
Rationale
Digital equipment that is connected to networks will always be subject to attacks over network connections; to prevent unauthorized disclosure of information and hijack type attacks, device manufacturers must implement access control and authentication that ensure only authorized entities can access, use, and modify equipment functions.
Ezurio Software BSPs
Ezurio provides supported software BSPs for all of our computing-based products. This includes Linux and Android for SOMs and SBCs, as well as Zephyr RTOS and Python-based Canvas for microcontroller-based products. These BSPs all have support for access control and authentication that device manufacturers can implement to meet the requirements of RED and the CRA.
Secure Firmware Updates
Requirements
RED 3.3d, per EN18031-1:
[SUM-1]: “The equipment shall provide at least one method of updating software”
[SUM-2]: “Each update mechanism […] shall only install software whose integrity and authenticity are valid at the time of installation.”
CRA (Annex 1.1):
“Products with digital elements shall […] ensure that vulnerabilities can be addressed through security updates”
Rationale
Developing and providing regular firmware updates that are securely applied to devices is critical to preventing cyber security threats, particularly for devices that are connected to the Internet, as security researchers are constantly discovering new flaws (vulnerabilities) in existing software. As such, a device that shipped with known secure firmware on one date may be vulnerable to threats at a later date, once the vulnerabilities are made public. Firmware updates also need to be secure, meaning they are only installed on a device if the validity of the update can be traced to a trusted source, thus preventing an attacker from manipulating the operation of the device.
Summit Suite - Vulnerability Mitigation & Chain-of-Trust Security
For supported SOM products, Ezurio’s Summit Suite provides the ability to address known software vulnerabilities with vulnerability monitoring and remediation. We continually update our Linux software stack (including the kernel and many user-space libraries and applications) from upstream sources to include the latest vulnerability fixes. Device manufacturers only need to update to our latest BSP to keep up-to-date with security patches that address common vulnerabilities and exposures.
Summit Suite also includes our chain of trust security which secures the entire software life cycle, from secure programming in production to in-the-field updates, using modern cryptographic methods. This enables the creation of secure firmware updates that are verified to be authentic before they are applied.
Vulnerability Detection and Reporting
Requirements
RED, per EN18031-1:
[GEC-1]: “The equipment shall not include publicly known exploitable vulnerabilities that, if exploited, affect security and network assets.”
CRA (Annex 1.2):
“Products with digital elements shall be delivered without any known exploitable vulnerabilities.”
“Manufacturers of the products with digital elements shall identify and document vulnerabilities and components contained in the product; […] once a security update has been made available, publicly disclose information about fixed vulnerabilities; […] take measures to facilitate the sharing of information about potential vulnerabilities in their product”
Rationale
Just like providing software updates that address known vulnerabilities, it is equally important that, as part of the software quality process, manufacturers review the software for open-source components that may have known existing vulnerabilities. This is necessary to prevent an attacker from using public information to commit a cyber attack on devices in the field.
Summit Suite - Vulnerability Monitoring
In order to determine what version of software components are used in a given release, it is necessary to derive a software bill-of-materials (SBOM), which can be a time consuming process for modern, complex software. The vulnerability monitoring service provided by Summit Suite allows Ezurio’s customers to review their unique software builds on demand, and generate an SBOM along with a comprehensive list of known vulnerabilities at the click of a button.
Vulnerability Lists and SBOMs for Ezurio Software Stacks
For customers that develop their own software solution, but rely on Ezurio for specific software components (such as the Linux radio stack that a customer may integrate into a custom Yocto or other Linux solution), Ezurio provides up-to-date listing of vulnerabilities. Ezurio also provides SBOMs for software stacks we provide that are built upon open-source components (such as our Python-based Canvas solution for microcontroller-based products).
Secure Storage, Communication and Cryptographic Methods
Requirements
RED, per EN18031-1:
[SSM-1]: “The equipment shall always use secure storage mechanisms for protecting the security assets and network assets persistently stored on the equipment“
[SCM-1]: “The equipment shall always use secure communication mechanisms for communicating security assets or network assets with other entities”
[CRY-1]: “The equipment shall use best practice for cryptography that is used for the protection of the security assets or network assets”
CRA (Annex 1.1):
“Products with digital elements shall […] protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms”
Rationale:
Device manufacturers must ensure that confidential data that is transmitted and stored (such as network passwords, personal information, and financial data) is protected from attackers. Devices must use proven, strong encryption ciphers, for both asymmetric (e.g., elliptic curve or ECDSA) and symmetric (e.g., AES-CBC) methods.
Summit Suite - FIPS Certified Cryptography
Summit Suite provides a certified cryptographic suite of software components and algorithms as a FIPS-certified solution (see What is FIPS?). While FIPS cryptography is typically only required in specific markets (e.g., government agencies or large healthcare organizations), having FIPS-compliant algorithms can be a simple way to demonstrate compliance with the related cyber security requirements around strong cryptography in RED and the CRA.
Conclusion
For device manufacturers, particularly those who do not focus on cyber security as their primary market deliverable, meeting the upcoming deadlines of compliance put forth in RED and the CRA can seem a daunting task. Ezurio is committed to providing information and support on these requirements, with regards to our products and how our customers can achieve this.
We have shown how Ezurio provides information and components to help device manufacturers meet some of the requirements of RED and the CRA; specifically:
- Summit Suite (available on select modules) which includes:
- Chain-of-Trust Security to provide secure firmware updates;
- Software Vulnerability Monitoring and Remediation to continuously address and discover software vulnerabilities; and
- FIPS-Certified Cryptography to demonstrate secure best-practice cryptographic algorithms to protect sensitive data
- Software BSPs that include access control and authentication to prevent unauthorized access to devices;
- Vulnerability Lists and SBOMs for software stacks that Ezurio provides for customers to use as part of their software solutions
For more information on Summit Suite or on how Ezurio can help you meet compliance the upcoming cyber security initiatives, please feel free to contact us.