How does RED Cyber apply to radio modules or system-on-modules (SOMs) that would be a component within an end product and not the end product itself?

Answer

Under the Radio Equipment Directive (RED) 2014/53/EU, specifically Article 3.3 (d), (e), and (f), compliance obligations are placed on the end product, not necessarily on the internal components such as radio modules or system-on-modules (SOMs). However, the application of RED Cyber provisions to such components depends on how the product is shipped, marketed, and used.

Key Interpretation Points:

1. Radio Modules as Subcomponents — Not Final Radio Product:

  • RED does not formally recognize "modular approvals" like the U.S. FCC does.
  • Radio Modules and SOMs, when shipped in a form that requires product integration, do not qualify as Final Radio Products and therefore are not subject to standalone RED Cyber assessments.
  • This interpretation aligns with the RED Compliance Association (RED CA) Technical Guidance Note for Radio Modules and current notified body practice.

2. Shipping Configuration Determines Applicability:

  • Radio Modules/SOMs shipped “blank” (i.e., without operating systems or functional application firmware) are not in scope for RED Article 3.3 (d), (e), or (f) because they cannot:
    - Connect to the Internet directly or indirectly
    - Execute any network-facing behavior
    - Handle personal data, credentials, or software updates

3. Gray Areas Require Manufacturer Declaration:

  • If a Radio Module includes firmware (e.g., AT command interface, HCI-only Bluetooth stack, or ROM bootloader), the decision of applicability hinges on:
    - Whether the firmware enables Internet connectivity or sensitive data processing out-of-the-box
    - Whether the manufacturer chooses to declare the component as an end product or a subcomponent
  • Ezurio’s position is to declare these as sub-components and claim non-applicability.

4. SOMs Follow the Same Logic:

  • System-on-Modules that require customers to load their own operating system and application are treated similarly:
    - They are development platforms or subsystems
    - For CE-marked SOMs, Ezurio lists RED Article 3.3 (d), (e), and (f) as "N/A" in the DoC (Declaration of Conformity)

5. Customer Responsibility for End Product Compliance:

  • When Ezurio modules are integrated into a product they become a Final Radio Product, and it becomes the customer's responsibility to ensure RED Cyber compliance for the complete system.
  • Ezurio is committed to supporting customers through this process.

Conclusion

Radio Modules and SOMs are not subject to RED Cybersecurity requirements when shipped as components requiring user configuration or integration. This includes:

  • Modules with AT command interfaces, script runtimes, ROM bootloaders, or HCI-only stacks
  • SOMs that ship blank or with a BSP (Board Support Package) but no application

These components are listed as “Not Applicable” in Ezurio’s RED DoC filings. The end product manufacturer is responsible for final compliance assessment and RED Article 3.3 (d), (e), and (f) conformity.