In its first attempt to raise cybersecurity standards for products reaching the EU market, EU amended the Radio Equipment Directive (RED) to include cybersecurity requirements. This amendment means that all radio-capable and wireless products must comply with these requirements to be sold in the EU.
If you manufacture wireless or radio equipment for the EU market, August 1, 2025 is a date you can’t miss. This is when the RED cybersecurity requirements become mandatory.
What Are the RED Cybersecurity Requirements?
The Radio Equipment Directive (2014/53/EU) was amended to add cybersecurity requirements. Article 3(3) now requires that radio equipment:
- (d) Doesn’t harm the network or its functioning
- (e) Includes safeguards to protect personal data and privacy
- (f) Supports features to protect against fraud
These requirements apply to radio equipment capable of connecting to the Internet or exchanging data over a network.
Harmonized Standards for Compliance
The EU has harmonized three standards to help manufacturers demonstrate compliance with the articles. If your product meets the requirements in these standards, European regulators will presume you’ve met the legal requirements. This is called presumption of conformity.
In practical terms: if you comply with the applicable EN 18031 standards, that’s your proof that you meet the RED requirements. You don’t have to prove compliance with the RED directly.
The three harmonized standards are:
- EN 18031-1: For radio equipment with Internet connectivity (routers, gateways)
- EN 18031-2: For radio equipment processing data (Internet-connected radio equipment, wearables)
- EN 18031-3: For radio equipment processing virtual money or monetary value
Which standards apply to your product depends on its functionality.
Does This Apply to Your Product?
RED cybersecurity requirements apply to certain radio equipment sold in the EU.
Products commonly affected include those that use radio spectrum for communication and either connect to the Internet, process data, or handle personal information.
However, whether RED applies to your specific product depends on several factors, including its functionality, use case, and technical characteristics.
Commonly affected products include:
- WiFi routers and access points
- IoT sensors and devices
- Smart home products
- Wearable devices with wireless connectivity
- Industrial IoT equipment
- Cellular modules and modems
RED applicability rules are complex—functionality, use case, and technical characteristics all determine which requirements apply to your specific product.
Know Exactly What Applies Before You Start
Now that RED compliance is mandatory, misunderstanding scope means wasted engineering time on inapplicable requirements—or worse, missed obligations. Our compliance engineers built this assessment tool using the same methodology we use for enterprise scoping—determine your exact RED obligations in 7 minutes, no consultation needed.
The August 2025 Deadline
Before August 1, 2025: You could place products on the market under the old rules (no cybersecurity requirements).
After August 1, 2025: All radio equipment placed on the EU market must comply with the cybersecurity requirements. This includes new products, products in your inventory, and existing product lines still being manufactured.
Important: Products already sold to distributors or retailers before the August deadline aren’t affected. But new inventory placed after the deadline must comply.
How to Demonstrate Compliance
You have two main options:
Self-Assessment Using EN 18031
For most manufacturers, self-assessment using the EN 18031 standards is the fastest and most cost-effective path.
Why self-assessment:
- Complete depending on your availability
- Typically much lower cost than third-party testing
- You fully control the process and timeline
- You get immediate access to results
Important: To self-assess, your product must fully comply with the applicable EN 18031 standards and come with the necessary technical file. You can’t use self-assessment if your product only partially meets the requirements.
WiFi, Bluetooth, and cellular-connected devices can use EN 18031 self-assessment. Easynorm can support you in fully complying with the standard and completing your self-assessment and generate your technical file.
Third-Party Testing (Notified Body)
If your product can’t use EN 18031, or if you prefer independent verification, you can use a Notified Body.
Trade-offs:
- Higher cost (€15,000-€30,000)
- Timeline depends on Notified Body availability (typically close to 6 months)
- Limited availability as the deadline approaches
- May be required for specific product categories
Additional considerations:
- Notified Bodies may need time to understand your product’s architecture and cybersecurity features, adding to the timeline
- You’ll need to translate between compliance language and engineering documentation, which takes effort and can introduce delays
What to Do Now
Here’s your action plan:
1. Determine Applicability
Review your product portfolio. For each product, assess whether the EU RED cybersecurity requirements apply.
2. Choose Your Compliance Path
Identify the relevant EN 18031 standards and decide whether EN 18031 self-assessment is your selected path.
3. Start Your Assessment
Pre-assess your product to identify potential gaps meeting EN 18031.
4. Complete Testing and Documentation
Once the EN 18031 standards can be met, generate the necessary compliance documentation.
Allow time for:
- Assessment (internal or third-party)
- Product modifications (if needed)
- Technical file updates
- Declaration of Conformity
5. Update Labeling and Documentation
Make sure your:
- Declaration of conformity marking references RED cybersecurity articles
- Technical files required by EU market authorities are complete
What Happens If You Don’t Comply
Missing the August 2025 deadline means:
- You can’t legally place products on the EU market
- Risk of market surveillance penalties or recalls
You Don’t Need to Be a Standards Expert
Standards are written in standards language. They’re formal and often hard to translate into actual engineering work.
Easynorm translates EN 18031 into the language of embedded systems engineers. Instead of parsing formal standards text, you get requirements written for people who build products.
What this means:
- Requirements in engineering terms, not compliance jargon
- Clear guidance on what applies to your specific product
- Step-by-step assessment process
- Documentation that meets RED requirements
- Complete in 3-4 weeks, not 6 months
You focus on building compliant products. We handle the standards interpretation.
Pricing: €4,000 per product per year, with volume discounts available.
Summary
The August 2025 deadline is approaching. Here’s what to do:
- Review your products - Determine which fall under RED requirements
- Choose your path - Self-assessment (EN 18031) or third-party testing
- Start now - Don’t wait until spring 2025
Need help? We provide EN 18031 self-assessment tools that help you achieve RED compliance faster and more cost-effectively than traditional approaches.