Does the Radio Equipment Directive Already Address Industrial Radio Security?

When discussing cybersecurity and industrial radio systems, a common question arises:

“Doesn’t the Radio Equipment Directive (RED) already cover this?”

The answer is more nuanced than a simple yes or no.

What RED addresses

The Radio Equipment Directive establishes essential requirements that radio equipment must meet before being placed on the market. Recent delegated acts under RED have expanded its scope to include certain cybersecurity considerations.

These provisions focus on ensuring that radio equipment:

• Does not cause harm to networks

• Supports protection of personal data and privacy

• Reduces exposure to certain forms of misuse or fraud

This represents an important step in recognising that radio equipment, like other connected technologies, must be designed with security considerations in mind.

RED plays a critical role in setting baseline expectations at the point of manufacture and market entry.

The scope and intent of RED

RED is fundamentally a product compliance framework. Its purpose is to ensure that radio equipment placed on the market meets defined essential requirements.

It does not seek to:

• Assess how equipment is deployed in a specific operational context

• Provide assurance across the full lifecycle of a system

• Evaluate how multiple components interact within an operational control loop

• Address site-specific or sector-specific operational risk

This distinction is important in industrial environments, where radio communications may directly influence physical processes, safety, or continuity of essential services.

Industrial radio in operational contexts

In operational technology environments, radio systems are often:

• Integrated into wider control architectures

• Used to transmit commands and telemetry between remote assets

• Operated for long periods with minimal change

• Deployed in environments with varying risk profiles

In such contexts, questions of assurance extend beyond whether a product meets baseline requirements. They include how the system behaves once deployed, how it is configured, and how its limitations are understood and documented.

How SIR Certification is positioned alongside RED

SIR Certification is not intended to replace or override RED. Instead, it is designed to complement existing regulatory and compliance frameworks by focusing on the operational assurance of industrial radio communications.

SIR Certification addresses aspects such as:

• Proportionate assurance levels aligned to operational criticality

• Context-aware assessment of radio communications behaviour

• Consideration of system integration and deployment assumptions

• Support for documenting risk and residual exposure

Where RED focuses on product conformity, SIR focuses on communications assurance in use.

A complementary relationship, not a substitute

RED and SIR Certification serve different but related purposes.

RED establishes essential requirements for radio equipment entering the market. SIR Certification supports organisations in understanding and documenting how radio communications perform within real operational environments.

Used together, they help provide a clearer picture of both product capability and operational assurance — without duplicating or conflicting with existing regulatory structures.

Final thoughts

Industrial radio systems continue to play a vital role across critical infrastructure sectors. As awareness of cyber-physical risk increases, it becomes increasingly important to distinguish between product compliance and operational assurance.

RED addresses the former.

SIR Certification is intended to support the latter.

Understanding the difference allows organisations, regulators, and stakeholders to apply each appropriately — and proportionately — within their respective roles.