The EU Radio Equipment Directive has been in force since 2016, and in 2025 it was updated with new cybersecurity specifications under Articles 3.3 d/e/f. All individual radio products placed on the EU market after 1 August 2025 must comply with these new requirements.
What is the Radio Equipment Directive?
The Radio Equipment Directive (RED) is a regulation governing the design, manufacture and placing on the market of radio equipment within the European Union. The directive is being updated with a new delegated regulation, Articles 3.3 d/e/f, which aims to improve the security of wireless devices by establishing uniform requirements.
Radio equipment includes wireless electrical and electronic devices that transmit and receive radio waves, or that have an integrated radio component for wireless connectivity (such as WiFi, Bluetooth or NB-IoT). The cybersecurity requirements apply to all wireless devices that are connected directly or indirectly to the Internet.
Examples of devices covered by the directive include:
- IoT devices that transmit data over the Internet, such as wireless thermometers and humidity sensors
- Wireless industrial devices connected to the Internet
- Smartphones, tablets, wireless cameras, speakers and headphones
- Wearable devices, such as smartwatches, sports watches and activity trackers
- Remote-controlled toys and childcare equipment, such as baby monitors
What does the Radio Equipment Directive require?
Manufacturers and importers of radio equipment must ensure that their products comply with the criteria of the directive. They must also ensure that any security issues can be corrected and updated when necessary.
Key obligations of Articles 3.3 d/e/f:
Article 3.3 (d) – Radio equipment must not harm the network or its functioning, nor misuse network resources in a way that causes a deterioration of service.
Article 3.3 (e) – Radio equipment must include safeguards to protect users’ personal data and privacy.
Article 3.3 (f) – Radio equipment must support specific features that protect against fraud.
Harmonised standards developed by CEN/CENELEC were published in the Official Journal of the EU in February 2025.
- EN 18031-1:2024: Defines general security requirements for radio equipment connected to the Internet.
- EN 18031-2:2024: Defines technical requirements for radio equipment that processes personal, traffic or location data. This includes Internet-connected radio equipment, children’s radio devices, toy radio devices and wearable radio equipment.
- EN 18031-3:2024: Defines cybersecurity requirements for radio equipment capable of handling virtual currency or monetary value and of communicating over the Internet.
With these standards now in place, manufacturers can align with the RED cybersecurity requirements that become mandatory in August 2025. These standards also help lay the foundation for developing harmonised standards under the upcoming Cyber Resilience Act.
Device requirements will cover, for example:
- Appropriate authentication and access control mechanisms
- Automated and secure mechanisms for software or firmware updates
- Mechanisms to mitigate denial-of-service attacks
What happens if I do not comply?
All individual radio products placed on the EU market after 1 August 2025 must meet the new cybersecurity requirements, regardless of when the product was designed or type-approved. Note that “placing on the market” refers to each individual unit. Even if a model or type was made available before the new requirements came into force, any individual units of the same model placed on the market after the effective date must comply with the new requirements.
If a radio device does not meet the new requirements, it will not receive CE marking. CE marking indicates that the device complies with EU legislation. Without the marking, the device cannot be placed on the EU market or used within the EU. In Finland, the Finnish Transport and Communications Agency Traficom supervises the conformity of radio equipment sold in the country.
Our cybersecurity experts can help you meet the new regulatory requirements to ensure your products remain on the EU market. They specialise in cybersecurity standards forming the basis of upcoming requirements, including ETSI EN 303 645 and the ISA/IEC 62443-4-2 Industrial Control System Cybersecurity standards.
