The EU RED Countdown: 4 Things You Must Do Now to be Prepared
Compliance officers at IoT device manufacturing organizations must act immediately to prepare for the EU Radio Equipment Directive (RED) and its new cybersecurity requirements, which became mandatory on August 1, 2025. The new EN 18031 series of standards provides the framework for demonstrating compliance. A successful strategy focuses on proactive integration of these requirements into the product lifecycle.
Why should you care
1. Market Access and Legal Mandate
Access to the EU Market: The most direct and compelling reason is that compliance is a legal requirement for selling radio equipment, including a vast number of IoT devices, within the European Union. Non-compliant products cannot be placed on the EU market. This is not a voluntary guideline; it's a mandatory prerequisite.
CE Marking: Compliance with the RED is a key part of obtaining the CE marking, a mandatory conformity marking for products sold within the European Economic Area. Without a valid CE marking, a product cannot be sold in the EU.
2. Business and Financial Risks
Financial Penalties: As seen with other EU regulations like the Cyber Resilience Act (CRA), non-compliance can lead to massive fines. These fines can be a percentage of a company's global annual turnover, which for large manufacturers can amount to tens of millions of euros.
Reputational Damage: A major security breach in an IoT device can cause irreparable harm to a company's brand and customer trust. If a product is linked to a data breach, a botnet attack, or other cybersecurity incidents, the negative publicity can lead to a significant drop in sales and loss of business, regardless of legal penalties.
Costly Rework and Delays: Retrofitting security into a product after it has been designed and manufactured is far more expensive and time-consuming than building it in from the start. A proactive "security-by-design" approach, as required by the RED, helps manufacturers avoid costly redesigns, testing delays, and missed launch dates.
3. Cybersecurity and Consumer Trust
Protecting Users and Networks: The new RED requirements directly address growing cybersecurity threats. By mandating security-by-design, the directive ensures that devices are not only safe for the end-user but also do not pose a threat to critical network infrastructure. This protects against scenarios where unsecured IoT devices are used in massive botnet attacks or to infiltrate corporate networks.
Building Customer Trust: As consumers become more aware of privacy and security issues, they are increasingly making purchasing decisions based on a product's security posture. By demonstrating compliance with rigorous EU standards like EN 18031, manufacturers can signal to consumers and business partners that their products are secure and trustworthy, providing a competitive advantage.
Aligning with a Broader Regulatory Landscape: The EU RED's new cybersecurity requirements are part of a larger trend in global regulations. Complying with the RED provides a strong foundation for meeting other forthcoming laws, such as the EU's Cyber Resilience Act (CRA). By preparing for RED now, compliance officers are also getting ahead of future, and potentially more stringent, regulations.
4 Things You Must Do Now to be Prepared
1. Scope & Impact Assessment
Identify Affected Products: Determine which of your organization's products are classified as "radio equipment" and are subject to the new requirements. This includes any device that transmits or receives radio waves for communication (e.g., Wi-Fi, Bluetooth, Zigbee, NFC).
Assess Connectivity and Function: Check if products fall under the scope of the new rules, specifically Articles 3.3(d), (e), and (f), which are relevant to:
Network Protection (3.3d): All internet-connected radio equipment.
Data Protection (3.3e): Devices that handle personal data or privacy, even if not directly connected to the internet.
Fraud Prevention (3.3f): Internet-connected devices that enable monetary transactions.
Determine Applicable Standards: Use the new EN 18031 series as your primary framework. The series is broken down into parts that correspond to the RED articles:
EN 18031-1: Addresses network protection.
EN 18031-2: Focuses on user data and privacy protection.
EN 18031-3: Pertains to fraud prevention.
Acknowledge the Relationship with other Standards: Understand that while EN 18031 is now the harmonized standard, other standards like ETSI EN 303 645 can be a useful starting point, but EN 18031 must be the official standard used for demonstrating compliance.
2. Technical & Development Alignment
Integrate Cybersecurity into Design: Ensure all product development, from the initial design phase, incorporates the new cybersecurity requirements. This means adopting a "security-by-design" approach.
Conduct Risk Assessments: Update or create new cybersecurity risk assessments for all in-scope products. The focus should be on the risks addressed by the RED's essential requirements.
Implement Key Security Features: Ensure devices have mechanisms in place for:
Secure updates: Implement a secure software and firmware update mechanism to address vulnerabilities throughout the device's lifecycle.
Data encryption: Use robust encryption for data at rest and in transit.
Strong authentication: Require secure authentication for user access and device configuration.
Protection against misuse: Design products to prevent them from being used to harm networks (e.g., as part of a botnet).
3. Documentation & Conformity
Prepare Technical Documentation: Begin compiling and updating a detailed technical file for each product. This documentation must serve as a comprehensive record of the product's design, manufacturing, and conformity assessment. It must include all the evidence of compliance with EN 18031.
Execute Conformity Testing: Conduct a conformity assessment and testing to prove that your products meet the requirements of the applicable EN 18031 standards. This testing is crucial for gathering the evidence needed for your technical file.
Draft Declaration of Conformity: Prepare the EU Declaration of Conformity (DoC) for each product. This legal document, signed by the manufacturer, declares that the product meets all applicable RED requirements.
Decide on Notified Body Involvement: If you apply the harmonized standards (EN 18031) in full, you can use the internal production control module, which allows for self-declaration and does not require a Notified Body. If you cannot meet the standards fully or choose to use different ones, you will need to engage a RED Notified Body to certify your product.
4. Post-Market Readiness
Establish Vulnerability Management Process: Create and maintain a process for handling security vulnerabilities after the product has been placed on the market. This includes providing a way for users and researchers to report issues and ensuring a plan for issuing security updates.
Monitor for Regulatory Changes: Stay informed about the RED and its future relationship with the forthcoming EU Cyber Resilience Act (CRA). The CRA is expected to broaden the scope of cybersecurity requirements to a wider range of connected products.
Train Staff: Educate your product development, legal, and marketing teams on the new requirements to ensure a holistic approach to compliance.
Test of Things is a security test automation and compliance management platform that provides a centralized, automated solution to get a comprehensive view of the security posture of the entire product portfolio for compliance officers and managers, CISOs and regulatory affairs speacialists.
If your role is to ensure that products meet all relevant legal and regulatory requirements, manage the certification process and maintain technical documentation for audits, then Test of Things is for you.
