Key Takeaways
- RED cybersecurity requirements become enforceable on August 1, 2025
- EN 18031 defines how manufacturers must technically meet these obligations
- Cryptography and key management are central to compliance
- Quantum cyber security considerations are becoming relevant for long-lived devices
- Early preparation reduces regulatory risk and strengthens market position
Why Quantum Cyber Security Now Matters for RED Compliance
As of August 1, 2025, the European Commission’s Delegated Act (Regulation (EU) 2022/30) on the Radio Equipment Directive (RED) 2014/53/EU mandates cybersecurity requirements for internet-connected radio equipment.
This update represents a significant milestone in Europe’s ongoing efforts to ensure that the growing ecosystem of connected devices is not only safe and interoperable—but also secure against cyber threats. As regulators and manufacturers look ahead, quantum cyber security is beginning to form part of the wider conversation around long-term device resilience.
But what does this mean for manufacturers, importers, and distributors? And is the supply chain prepared for this new wave of regulatory demands?
What is the Radio Equipment Directive (RED)?
The Radio Equipment Directive is a comprehensive EU framework governing:
- Health and safety
- Electromagnetic compatibility EMC
- Efficient use of the radio spectrum
- Cybersecurity, personal data protection, and fraud prevention
From mobile phones and smart home gadgets to wearables and automotive communication systems, if your product communicates via radio frequencies, it’s likely in scope.
New Cybersecurity Mandates: What’s Changing?
The most significant update, effective August 1, 2025, introduces mandatory cybersecurity requirements for connected devices. This includes ensuring that devices:
- Protect network resources from misuse.
- Safeguard personal data and privacy.
- Prevent fraudulent activity through robust security mechanisms.
Manufacturers must now demonstrate that their devices are resilient to cyber threats. Not just in theory, but through compliance with harmonized standards, such as the EN 18031 series.
EN 18031: Breaking Down the Technical Requirements
The EN 18031 standards are designed to translate RED’s high-level legal requirements into clear, testable security measures.
These standards address critical areas like:
- Access control & authentication
- Secure key management
- Cryptography for communications & transactions
- Data deletion, logging, and secure storage
- Network monitoring & traffic control
- Firmware update security
For example, devices handling personal data (like smart home assistants or wearable tech) must now implement mechanisms to prevent unauthorized data access, while devices facilitating financial transactions require advanced cryptographic protections against fraud.
Importantly, EN 18031 encourages manufacturers to align with global best practices, referencing standards from NIST, SOGIS, ETSI, and BSI. This aligns with the growing industry focus on cryptographic longevity and forward-looking security approaches championed by organisations such as PQShield.
Compliance: Self-Assessment or Notified Body?
Manufacturers have two routes to demonstrate compliance:
- Self-Assessment
- Third-Party Conformity Assessment via a Notified Body (for complex or non-standard implementations)
The choice largely depends on whether existing harmonized standards sufficiently cover your product’s design and functionality. For emerging or proprietary technologies, Notified Body involvement is likely mandatory.
Why This Matters: The Supply Chain Impact
With the RED’s cybersecurity requirements becoming enforceable, manufacturers and their supply chain partners must ensure products are secure by design and by default. This is not a mere “box-ticking” exercise. Failure to comply could result in:
- Regulatory penalties
- Product bans within the EU market
- Brand damage enforced
But beyond compliance, there’s also opportunity: early adopters of secure design principles will gain competitive advantage, demonstrating leadership in a market that increasingly values privacy, security, and resilience.
Final Thoughts
The RED’s cybersecurity mandates are reshaping the connected device landscape, pushing manufacturers to take proactive steps to protect users and infrastructure. Compliance is no longer just about today’s risks, but about preparing for future threats.
By considering quantum cyber security as part of a wider compliance strategy, organisations can strengthen their regulatory position while building more trustworthy connected products.
Talk to PQShield About RED Compliance
If you want to understand how your devices measure up, or how PQShield can support your RED compliance journey, now is the time to start the conversation.
Contact PQShield to discuss your requirements, assess your readiness, and explore how the right cryptographic approach can support secure and compliant products for the EU market.
Frequently Asked Questions
Does RED require post-quantum cryptography?
RED does not explicitly require post-quantum cryptography, but it does expect devices to remain secure against evolving threats.
Many manufacturers are therefore considering quantum-resistant approaches as part of long-term compliance planning with support from PQShield.
How can PQShield support RED compliance?
PQShield helps organisations implement robust cryptographic solutions aligned with RED and EN 18031, including secure key management and future-ready cryptography.
Is quantum cyber security relevant for existing devices?
For devices with long lifespans, quantum cyber security is increasingly relevant. Manufacturers may need to consider cryptographic upgrades or secure update paths to manage future risk, an area where PQShield provides guidance.
Do all RED devices need advanced cryptography?
The level of cryptography required depends on device function and risk. Even simple connected devices may need strong security controls if they process data or access networks. PQShield supports proportionate, standards-aligned approaches.
When should manufacturers engage a cryptography specialist?
Engaging early in the design or compliance phase reduces risk and cost. Many organisations work with PQShield during RED readiness assessments or when planning for future security requirements.