Radio Equipment Directive (RED)

The Radio Equipment Directive (2014/53/EU) is a longstanding EU law that ensures any wireless/radio-emitting equipment (from smartphones to Wi-Fi routers and IoT gadgets) is safe and meets regulatory standards. Traditionally, RED covered electrical safety, health, electromagnetic compatibility (EMC), and efficient use of radio spectrum. Recently, under Article 3.3 of RED, it added three new cybersecurity requirements for certain radio-connected devices.

Deeper Dive

Goal

Under Article 3.3 of RED, it has the goal of protecting applicable devices and that they:
must not harm communication networks nor misuse network resources (e.g. a compromised IoT device should not be able to take down Wi-Fi networks)
must safeguard users’ personal data and privacy.
must have features to protect against fraud (particularly for devices handling payments or critical functions)

Key Requirements

The RED article 3.3 requires connected products (e.g. products using WiFi, Bluetooth, ZigBee, LoRA, NFC, 5G etc) to be secure. You must:

Ensure that radio equipment does not harm network functionality or misuse resources.
That personal data and the privacy for internet connected devices are protected.
That devices handling virtual money or monetary value, securely process this data.

The EN 18031 standards provide a practical framework for meeting RED 3.3 cybersecurity requirements.

Timeline

All applicable devices that will be placed on the market after the 1st of August 2025, will have to be compliant with RED 3.3.

If the product is placed on the market before this date, the product is not required to comply with RED 3.3. However, if any further updates or changes are made to the product while on the market, it will require compliance.

A typical RED 3.3 compliance journey takes around 9 months to complete.

CRA Relationship

RED 3.3 only focuses on the security of the device itself (hardware, software, firmware and interfaces), and not on the connected components and all the phases of the life cycle, as the Cyber Resilience Act (CRA) does. CRA also covers wired and software-only products too.

RED 3.3 however, is a part of the CRA requirements, which will come into effect in the coming years. The compliance journey of RED takes the first steps in the preparations for the CRA. Find out more about CRA.

Technical Deep Dive

The European Commission has mandated the development of specific standards (the EN 303 645 series and others) to support the RED requirements. Draft versions (e.g. EN 303 645-2 testing procedures) are emerging. We keep an eye on these so you can implement solutions that will meet the final standard. For instance, ensuring your device forces users to change default passwords addresses both RED privacy requirements and aligns with EN 303 645 guideline 5.1. If no harmonised standard is cited by the EU yet, a Notified Body may need to assess your product’s compliance.

The EN 18031 standards provide a practical framework for meeting RED 3.3 cybersecurity requirements. These standards break down the key expectations mentioned above, that are outlined in articles 3.3 (d), (e), and (f) of the RED. Specifically, EN 18031-1 addresses article 3.3 (d) by ensuring that devices don’t disrupt network functions or misuse resources, supporting secure network operations. EN 18031-2 focuses on article 3.3 (e), protecting personal data and privacy for internet-connected devices like wearables and toys. Finally, EN 18031-3 meets article 3.3 (f) by safeguarding the secure handling of data for devices that process virtual money or hold monetary value.

Smart Resources

1 / Official Documents & Legislation Articles

Radio Equipment Directive (2014/53/EU) - the original directive
EUR-Lex full text

RED Delegated Regulation (EU) 2022/30 (Article 3.3 d/e/f cybersecurity requirements)
EUR-Lex full text

Explanatory Memorandum

EU Legislative Proposal Archive (includes impact assessments)

2 / Relevant Standards & Technical Guidance

ETSI EN 303 645 — Baseline Security for Consumer IoT
ETSI download

ETSI TS 103 701 — Conformance Assessment of EN 303 645
ETSI download

BS EN 18031-1:2024 - Common security requirements for radio and internet connected radio equipment

EN 18031 purchase standard

3 / Best Practice and Certification Resources

UK Code of Practice for Consumer IoT Security - although UK-specific, this code inspired many provisions under RED Article 3.3
Gov.uk guidance

Notified Bodies for RED

NANDO RED list

Connected Services

To support your RED 3.3 compliance journey, below are examples of services we can support your organisation with. We understand that the regulatory landscape can be complex so we are there to support and guide you through it.

Regulatory Gap Analysis

We review your existing product security measures and identify gaps in line with EN 18031 standards for network security, data privacy, and secure transaction processing.

Product Roadmap

Assessing the impact on your products and undertaking product design reviews to ensure product development alignment with RED 3.3 as well as planning updates of existing products.

Product Testing

We use our accredited testing service to verify compliance with key standards such as ETSI EN 303 645, IEC 62443-4 4 and use this as evidence to support your conformity submission.