EU RED Cybersecurity: Your Complete Compliance Guide

RED cybersecurity requirements for radio equipment became mandatory on August 1, 2025. If you manufacture routers, IoT devices, or any wireless equipment for the EU market and haven’t achieved compliance yet, you’re at risk of enforcement actions. Here’s exactly what’s required—and how to achieve compliance quickly.

Most manufacturers we speak with are confused about the Radio Equipment Directive (RED) cybersecurity requirements. Some are just discovering these requirements exist, while others know they need to comply but aren’t clear on the practical steps.

This guide cuts through the regulatory fog to give you actionable clarity on RED cybersecurity compliance—including the self-attestation path that can get you compliant in weeks rather than months.

What Are the RED Cybersecurity Requirements?

The RED cybersecurity requirements come from Delegated Regulation (EU) 2022/30, which applies to all radio equipment placed on the EU market. These aren’t guidelines or recommendations—they’re legally binding requirements enforced by national market surveillance authorities across all EU member states.

Here’s what makes these requirements particularly serious: non-compliance can trigger EU-wide product recalls shared via the EU Safety Gate system (RAPEX). When one member state identifies a non-compliant product, the information spreads to all 27 EU countries within days.

The Timeline That Led Us Here

• January 13, 2022: Delegated Regulation 2022/30 published
• August 1, 2025: Full enforcement began—cybersecurity compliance became mandatory
• Today (November 2025): Only compliant products can be legally placed on the EU market

Current reality: If your radio equipment doesn’t meet these cybersecurity requirements, you cannot legally sell it in the EU. Market surveillance authorities are actively checking compliance, and non-compliant products face removal from the market.

What Does RED Cybersecurity Actually Require?

The original Radio Equipment Directive (2014/53/EU) established three essential requirements for radio equipment:

• Article 3.1(a): Health and safety protection
• Article 3.1(b): Electromagnetic compatibility (EMC)
• Article 3.2: Efficient use of radio spectrum

The 2022 delegated act added three cybersecurity requirements that are now fully enforced:

Article 3.3(d): Network Integrity and Resource Protection

Your equipment must not harm networks or misuse network resources. This means implementing controls to prevent your device from being weaponized in DDoS attacks, cryptomining, or other network abuse.

In practice, among others, this requires:

• Rate limiting and traffic controls
• Resource usage monitoring
• Secure update mechanisms

Article 3.3(e): Personal Data and Privacy Protection

Your equipment must protect personal data and privacy. This goes beyond GDPR—it’s about technical measures built into the product itself.

In practice, among others, this requires:

• Data encryption at rest and in transit
• Secure data deletion capabilities
• Access control mechanisms

Article 3.3(f): Anti-Fraud Features and Controls

Your equipment must include features to protect against fraud. This is particularly relevant for payment systems, authentication mechanisms, and any features handling sensitive transactions.

In practice, among others, this requires:

• Secure authentication methods
• Audit logging capabilities
• Secure update mechanisms

Critical point: You cannot affix the CE mark unless your product complies with ALL applicable RED requirements, including these cybersecurity provisions. A product that meets EMC and radio requirements but fails cybersecurity cannot legally enter the EU market—and as of August 1, 2025, this is being actively enforced.

How to Achieve RED Cybersecurity Compliance Now

For radio products that need to enter or remain in the EU market, you have two main compliance paths:

Option A: Self-Attestation Using Harmonized Standards (Module A)

This is the fastest path to compliance—critical if you’re not yet compliant. By fully applying a harmonized standard, you gain “presumption of conformity”—meaning authorities presume your product complies with the relevant RED requirements.

The process:

1. Select and fully implement the appropriate harmonized standard
2. Generate comprehensive technical documentation proving compliance
3. Perform internal testing and verification
4. Issue your EU Declaration of Conformity
5. Affix the CE mark

Timeline: Most manufacturers complete this in 3-6 weeks when properly supported

Cost: Typically €4,000-8,000 for documentation and assessment tools

Control: You maintain full control over timeline and process

Advantage now: Fastest path to compliance if you’re currently non-compliant

Option B: EU-Type Examination with Notified Body (Module B)

This path involves third-party certification, similar to traditional product certification processes.

The process:

1. Submit your product to an EU notified body
2. Wait for scheduling and examination
3. Receive EU-type examination certificate
4. Maintain ongoing compliance verification
5. Issue Declaration of Conformity referencing the certificate

Timeline: Typically 4-6 months due to notified body scheduling

Cost: €20,000-30,000 plus annual surveillance fees

Control: Timeline depends on notified body availability

Challenge now: Long wait times mean extended non-compliance period

Harmonized Standards for RED Cybersecurity

The European Commission has published three harmonized standards specifically for RED cybersecurity compliance. While each standard targets different equipment types, they all share core security requirements.

Common Requirements Across All Standards

All three EN 18031 standards require:

1. Secure update mechanisms - Authenticated firmware/software updates with integrity verification
2. Access control and authentication mechanisms - Proper user authentication and authorization
3. Secure communications protocols and cryptography - Encrypted communications and proper cryptographic implementation
4. Secure storage - Protection of sensitive data at rest
5. Security by default requirements - Secure default configurations out of the box

EN 18031-1: Internet-Connected Radio Equipment

Applies to: Routers, gateways, access points, and any radio equipment with internet connectivity

This standard focuses on equipment that acts as a network boundary or provides connectivity services. Beyond the common requirements, EN 18031-1 additionally requires:

• Network monitoring mechanisms - Capabilities to detect and report network anomalies
• Traffic control mechanisms - Rate limiting and traffic management to prevent network abuse
• Resilience mechanisms - Features to maintain operation and recover from attacks

EN 18031-2: Data-Processing Radio Equipment

Applies to: IoT devices, wearables, smart home products, connected sensors

This standard covers radio equipment that processes user or operational data. Beyond the common requirements, EN 18031-2 additionally requires:

• Privacy preserving deletion mechanisms - Secure and complete data deletion capabilities
• User notification mechanisms - Informing users about data processing and security events
• Privacy aware logging mechanisms - Logging that protects user privacy while maintaining security

EN 18031-3: Virtual Money Processing Equipment

Applies to: Payment terminals, cryptocurrency wallets, digital payment devices

This specialized standard addresses equipment handling monetary transactions. Beyond the common requirements, EN 18031-3 additionally requires:

• Audit logging mechanisms - Comprehensive logging of security-relevant events for financial transactions
• Equipment integrity - Anti-tampering protections and integrity verification mechanisms

Important: These standards are comprehensive and rigid. They require precise documentation of how each requirement is met, including test evidence, design documentation, and implementation details. The documentation must be readily available to market surveillance authorities—vague or incomplete documentation risks non-compliance findings.

The Hidden Challenge: Documentation and Evidence

Here’s what many manufacturers discover too late: EU self-attestation doesn’t mean “self-certification” without proof. Market surveillance authorities expect rigid, comprehensive documentation demonstrating compliance with every applicable requirement.

This documentation must include:

• Detailed mapping of how each standard requirement is addressed
• Test evidence showing verification of security controls
• Required information from the standard - Each requirement specifies mandatory information elements (e.g., descriptions of security mechanisms, operational configurations, and implementation details)
• Assets present in the equipment - Complete documentation of security assets (sensitive parameters, credentials, cryptographic keys) and network assets (network configurations and functions) that require protection

Market authorities can request this documentation at any time. With enforcement now active, inadequate documentation may be treated the same as non-compliance by market authorities—potentially triggering recalls, fines, or market access restrictions depending on the specific authority’s enforcement approach.

Making Your Compliance Decision Today

Since the deadline has passed, your decision criteria have shifted. Here’s how to choose your path:

Choose Self-Attestation If:

• You need compliance as quickly as possible (you’re currently at risk)
• You want to control your compliance timeline
• Your engineering team can implement security requirements
• You have (or can obtain) documentation capabilities
• Minimizing time to compliance is critical

Choose EU-Type Examination If:

• You’re entering highly regulated sectors
• Your customers specifically require third-party certification
• You lack internal security expertise
• You can accept 4-6 months of no market access or non-compliance risk
• You’re willing to pay premium prices for third-party validation

Reality check: If you’re not yet compliant, self-attestation is likely your only viable option for rapid market access restoration.

How Easynorm Accelerates Your Compliance Journey

The engineers who built Easynorm faced these same RED compliance challenges. They discovered that while implementing security features was manageable, generating the rigid compliance documentation took months of tedious work.

That’s why Easynorm automates the documentation-heavy parts of EN 18031 compliance:

• Automated requirement mapping that translates standards into engineer-friendly checklists
• Evidence collection templates that capture exactly what authorities expect
• Documentation generation that produces audit-ready technical files
• Progress tracking that shows exactly where you stand in the compliance process

Most importantly, Easynorm uses language engineers understand—not compliance jargon. You answer technical questions about your implementation, and the platform generates the formal compliance documentation authorities require.

Real results from manufacturers using Easynorm:

• 3-week typical completion (vs 6 months with consultants)
• €16,000+ savings compared to traditional certification
• Full technical documentation package ready for authorities
• Ongoing compliance maintenance simplified

Take Action Now—Compliance Is Already Mandatory

With RED cybersecurity requirements in full effect since August 1, 2025, every day of non-compliance increases your risk. Market surveillance authorities are actively checking products, and non-compliant equipment faces removal orders.

Your immediate next steps:

1. Assess your compliance status —are you currently meeting RED cybersecurity requirements?
2. If non-compliant, stop placing new products on the EU market until compliant
3. Choose the self-attestation path for fastest compliance (unless you specifically need third-party certification)
4. Begin documentation preparation immediately —this is typically the longest part

If you’re already compliant, now is the time to verify your documentation meets authority expectations. If you’re not yet compliant, you need to act immediately to protect your EU market access.

Ready to Achieve Compliance Quickly?

See how Easynorm can transform your EN 18031 compliance from a 6-month consulting project into a 3-week engineering sprint. Our platform automates the rigid documentation requirements while you focus on implementing security features.

For manufacturers who aren’t yet compliant, this could be the difference between weeks and months of lost EU market access.

Request a demo to see exactly how Easynorm handles your specific equipment type and compliance needs. Join manufacturers who’ve already secured their EU market access—efficiently and affordably.

---

Need immediate help with RED cybersecurity compliance? Our compliance engineers understand the urgency. Contact us for rapid compliance support tailored to your specific radio equipment.