Freely subscribe to our NEWSLETTER

Extending the scope of notification to ensure compliance
Already a notified body for several European directives - notably the RED Directive 2014/53/EU, the EMC Directive 2014/30/EU, and Regulation (EU) 2019/945 on unmanned aircraft systems (UAVs) - Emitech Certification saw its competence extended in December 2024, with the validation of its operational capability by Cofrac concerning cybersecurity requirements. This regulatory breakthrough was part of a multi-stage process, involving a notification request submitted by Emitech to the DGE (Direction Générale des Entreprises), the issue of a favourable opinion by the DGE, and then validation of this notification at European level. Since then, Emitech Certification has been officially recognised as a Notified Body (NB) for the delegated regulation (EU) 2022/30.

Delegated Regulation (EU) 2022/30, published in January 2022, supplements the RED Directive by activating three essential cybersecurity requirements (Article 3.3) applicable to certain connected radio equipment:
– 3.3 d): network protection and prevention of service disruption,
– 3.3 e): protection of personal data and privacy,
– 3.3 f): protection against fraud.

The regulation will apply from 1 of August 2025, following a postponement to allow harmonised standards to be drawn up by CEN/CENELEC and ETSI.

New requirements for internet-connected equipment and a greater role for notified bodies
Manufacturers will have to demonstrate that their equipment complies with these requirements, either by applying harmonised standards (as soon as they are published), or by requesting a notified body such as Emitech Certification to carry out a third-party assessment (EU type examination or quality system).
In this context, Emitech Certification will act as a designated third party, relying on :
– risk analyses provided by manufacturers
– test reports (ISO/CEI 17025, or conditionally accepted),
– technical standards, particularly the EN 18031 series, comprising three harmonised standards:
o EN 18031-1:2024: General requirements for cybersecurity ;
o EN 18031-2:2024: Protection of privacy and personal data;
o EN 18031-3:2024: Protection against fraud.

These standards cover the requirements of Articles 3.3 d), e) and f) of the RED Directive respectively, and confer a presumption of conformity from 1 August 2025, subject to the application restrictions specified by the European Commission. They allow manufacturers to opt for internal conformity assessment or, in the case of restricted clauses, to apply to a notified body. In this way, Emitech Certification remains a key partner for products that fall outside the strict scope of the standards, or in innovative cases.

Structured support for manufacturers
To provide manufacturers with effective support in their technical and administrative procedures, Emitech Certification has developed a formal system based on a dedicated form comprising several key modules.
These include an Implementation Conformance Statement (ICS), which enables applicants to specify how certain critical functions are implemented in practice; an Implementation eXtra Information for Testing (IXIT), which focuses on the relevant parameters for carrying out reproducible tests; and a framework to guide the analysis of threats identified during software or hardware development.

All of this helps to validate that the security-related functions are active and robust (secure network authentication via asymmetric encryption, logging that cannot be falsified and can only be accessed locally, etc.) and to guarantee the CE conformity of connected products.

A European development in favour of cybersecurity
This regulatory development is part of a wider European drive ahead of the Cyber Resilience Act (CRA), which will extend these requirements to all digital products by 2027. In the meantime, the RED and its delegated act 2022/30 constitute the mandatory legal framework for connected objects.
The role of notified bodies like Emitech Certification is essential during this transitional phase, to secure innovation and accelerate the adoption of ‘secure by design’ products.