Starting August 1, 2025, new requirements under the RED Directive (2014/53/EU) will come into effect, integrating cybersecurity as a mandatory component of CE marking for many types of radio equipment. This blog post explains the requirements and what manufacturers must do to meet the new technical and organizational standards necessary to market their products in the EU.
It is essential to understand that the requirements apply to products placed on the market from this date – even if the product has previously been available.
Why Are New Requirements Being Introduced in the RED Directive?
The amendment aims to increase security in our increasingly connected lives. Radio products such as routers, smart toys, phones, and cars are now connected to the internet, creating new risks—not just for users’ data but also for societal infrastructure.
The new requirements focus on:
Protection against cybersecurity threats like intrusions or sabotage (Article 3(3)(d))
Protection of personal data that could otherwise be leaked or stolen (Article 3(3)(e))
Fraud prevention, particularly for products handling payments (Article 3(3)(f))
Note: These requirements apply to radio equipment placed on the market after August 1, 2025—not to products already on the market. It is the date the product is placed on the market, not the CE marking or manufacturing date, that determines compliance.
What Do Articles 3(3)(d), (e), and (f) Mean in Practice?
These articles outline the specific protections radio equipment must provide:
Article 3(3)(d): Protection against unauthorized access. Products must be designed to resist known cybersecurity threats, including password protection, update procedures, and secure communication protocols. This applies to internet-connected radio products that could harm or disrupt networks.
Article 3(3)(e): Protection of personal data. Products that collect, process, or store personal data must do so securely and transparently in line with GDPR. This includes data minimization, user control, and encryption. Applicable products include baby monitors, toys, and wearable devices.
Article 3(3)(f): Fraud prevention. This applies to products that enable payments or financial transactions, requiring authentication, data integrity, and secure payment channels—such as payment terminals or devices handling virtual currencies.
Together, these requirements make cybersecurity a non-negotiable condition for CE marking of all internet-connected radio equipment, regardless of whether the connection is constant or temporary (e.g., USB connection to an internet-connected PC). It is the internet connection itself that matters, not how direct it is.
What Happens if Requirements Are Not Met After August 1, 2025?
If a product fails to meet the new cybersecurity requirements, it cannot be marketed in the EU after August 1, 2025. This includes previously CE-marked products—each unit placed on the market after this date must be updated to meet the new requirements.
Consequences may include:
Sales bans, requiring product removal from the market.
Product recalls, even from customers, if deemed risky.
Fines or enforcement actions by market surveillance authorities.
Timely action is therefore critical.
Self-Declaration Enabled by New Harmonized Standards
Work on harmonized standards (EN 18031-x) was completed in time. As a result, manufacturers can use self-declaration (the simplest CE marking procedure) instead of involving a notified body.
This is especially important for smaller companies since third-party assessments are often time-consuming and costly. By following the harmonized standards, manufacturers can demonstrate compliance without external certification.
However, self-declaration is only valid if the standards are fully applied. If key elements (like password protection or update procedures) are missing, or exemptions compromise safety objectives, a notified body must be involved. Self-declaration still requires manufacturers to prove compliance through technical documentation, risk analysis, and traceable development processes.
What Does the EN 18031 Standard Series Include?
The standards are divided into three parts, each reflecting one article of the directive:
EN 18031-1: Covers network protection and prevention of harmful network impact (Article 3(3)(d)).
EN 18031-2: Addresses personal data protection in radio equipment (Article 3(3)(e)).
EN 18031-3: Targets fraud prevention in devices handling money or value (Article 3(3)(f)).
These include requirements for authentication, password handling, data protection (at rest and in transit), and processes for vulnerability management and updates.
Standards can be purchased via national standardization bodies, such as EVS.ee or www.sis.se.
How to Prepare Your Product for the New Requirements
Meeting the requirements takes more than a last-minute effort. Follow these steps:
Assess applicability – Study the directive and relevant FAQs from the Commission.
Conduct a cybersecurity risk analysis – Identify relevant threats.
Implement the standards – Use EN 18031 to design technical and organizational measures.
Update documentation – Ensure your technical file, risk assessment, user manuals, and EU declaration of conformity are up to date.
Test the product – Confirm that all requirements are practically met.
Plan for updates – Establish post-market security update routines.
Already have a product affected? You’ll need to update it—such as with new firmware and documentation—to continue selling it after August 1, 2025.
Avoid Common Mistakes – Start Early
Common misconceptions:
Believing the requirements apply only to new products.
Underestimating what self-declaration entails.
Failing to implement technical measures in time.
Tips:
Start risk analysis and documentation work early.
Apply standards strictly—deviations require a notified body.
Document all cybersecurity measures thoroughly.
Looking Ahead
Further cybersecurity requirements for internet-connected radio devices are coming via the Cyber Resilience Act (CRA). The delegated acts under 3(3) will be replaced by CRA requirements starting December 11, 2027. So, continuing cybersecurity work beyond RED compliance is crucial.
Summary
Cybersecurity is now a mandatory component of CE marking for many radio products. This applies to internet-connected devices, those processing personal data, or managing digital transactions. By adhering fully to the EN 18031 series, manufacturers can self-declare compliance—provided every standard is met.
Do you have questions about how these requirements affect your product? Contact us for assistance.
