As of August 1, 2025, the European Commission’s Delegated Act (Regulation (EU) 2022/30) on the Radio Equipment Directive (RED) 2014/53/EU mandates cybersecurity requirements for internet-connected radio equipment. This update represents a significant milestone in Europe’s ongoing efforts to ensure that the growing ecosystem of connected devices is not only safe and interoperable—but also secure against cyber threats.
But what does this mean for manufacturers, importers, and distributors? And is the supply chain prepared for this new wave of regulatory demands?
What is the RED?
The RED is a comprehensive EU directive that governs health & safety, electromagnetic compatibility (EMC), efficient use of the radio spectrum, and—most critically for 2025—cybersecurity, personal data protection, and fraud prevention for radio-enabled devices placed on the EU market. From mobile phones and smart home gadgets to wearables and automotive communication systems, if your product communicates via radio frequencies, it’s likely in scope.
New Cybersecurity Mandates: What’s Changing?
The most significant update, effective August 1, 2025, introduces mandatory cybersecurity requirements for connected devices. This includes ensuring that devices:
- Protect network resources from misuse.
- Safeguard personal data and privacy.
- Prevent fraudulent activity through robust security mechanisms.
Manufacturers must now demonstrate that their devices are resilient to cyber threats—not just in theory, but through compliance with harmonized standards, such as the EN 18031 series.
EN 18031: Breaking Down the Technical Requirements
The EN 18031 standards are designed to translate RED’s high-level legal requirements into clear, testable security measures. These standards address critical areas like:
- Access control & authentication
- Secure key management
- Cryptography for communications & transactions
- Data deletion, logging, and secure storage
- Network monitoring & traffic control
- Firmware update security
For example, devices handling personal data (like smart home assistants or wearable tech) must now implement mechanisms to prevent unauthorized data access, while devices facilitating financial transactions require advanced cryptographic protections against fraud. Importantly, EN 18031 encourages manufacturers to align with global best practices, referencing standards from NIST, SOGIS, ETSI, and BSI for cryptography and key management.
Compliance: Self-Assessment or Notified Body?
Manufacturers have two routes to demonstrate compliance:
- Self-Assessment
- Third-Party Conformity Assessment via a Notified Body (for complex or non-standard implementations)
The choice largely depends on whether existing harmonized standards sufficiently cover your product’s design and functionality. For emerging or proprietary technologies, Notified Body involvement is likely mandatory.
Why This Matters: The Supply Chain Impact
With the RED’s cybersecurity requirements becoming enforceable, manufacturers and their supply chain partners must ensure products are secure by design and by default. This is not a mere “box-ticking” exercise. Failure to comply could result in:
- Regulatory penalties
- Product bans within the EU market
- Brand damage enforced
But beyond compliance, there’s also opportunity: early adopters of secure design principles will gain competitive advantage, demonstrating leadership in a market that increasingly values privacy, security, and resilience.
The RED’s cybersecurity mandates are reshaping the connected device landscape, demanding that manufacturers take proactive steps to secure their products and protect their users. RED isn’t just a compliance challenge—it’s a chance to set the benchmark for secure, trustworthy connected devices in Europe and beyond.