From RED to the Future: How EN 18031 Shapes Cybersecurity Requirements for Wireless Products
The landscape of wireless technology security is undergoing a massive transformation. If you are manufacturing a connected device today, you are already subject to the Radio Equipment Directive (RED). With the RED-DA (Delegated Act) cybersecurity requirements now mandatory, manufacturers cannot afford to treat security as an afterthought. The August 2025 RED deadline was the first, non-negotiable step for ensuring the cybersecurity of radio equipment. But how exactly do manufacturers prove that their wireless product security meets the rigorous demands of the law?
Establishing a Product Security Baseline with RED Article 3.3
At its core, RED applies to radio equipment placed on the EU market. The RED-DA introduces critical cybersecurity requirements through Articles 3.3(d) (Network Protection), 3.3(e) (Data & Privacy), and 3.3(f) (Fraud Prevention). These obligations apply to all radio-enabled products offered in the EU, ensuring that a low-cost connected gadget is held to the same fundamental cybersecurity principles as a high-value industrial controller.
As explained in our article on Adapting to Articles 3.3(d), (e), and (f), aligning with these pillars early transforms the certification journey into a smoother, more predictable process. By leveraging RED cybersecurity assessments as a baseline, you meet your legal obligations under EU law and establish a robust product security baseline.
RED Article 3.3 introduces critical cybersecurity requirements that apply to all radio-enabled products in the EU, from consumer gadgets to industrial systems. Source: Freepik
The ETSI EN 18031 Series: Translating Law into Action
Legal clauses define what needs to be achieved, but they do not always explain how to demonstrate it. The ETSI EN 18031 series fills that gap by translating RED’s cybersecurity clauses into clear, measurable requirements. Following these harmonized standards is the most effective way to gain a presumption of conformity during your conformity assessment.
The standard is divided into three parts that mirror RED's core obligations:
EN 18031-1: Network protection
EN 18031-2: Personal data security
EN 18031-3: Fraud prevention
By providing specific criteria for implementation and verification, EN 18031 creates a common language for engineers, compliance teams, and Notified Bodies. If you want to understand the obstacles manufacturers face during this process, read our breakdown on the Challenges in Implementing the Radio Equipment Directive's Cybersecurity Requirements.
The ETSI EN 18031 series translates RED’s legal clauses into testable harmonised standards for network protection, data security, and fraud prevention. Source: Freepik
Building a Secure Product Development Lifecycle
Treating RED cybersecurity implementation as a "post-test" instead of engineering it into the design from day one is a common pitfall. To avoid costly redesigns and months of delay, manufacturers must embed a secure-by-design mindset directly into their secure product development lifecycle.
As highlighted in our piece on Navigating RED Compliance Strategies, integrating EN 18031 into the development cycle dramatically reduces the likelihood of late-stage certification issues. This involves establishing clear policies for vulnerability management, such as patch frequency, secure signing, and rollback capabilities. It also means that engineering, quality assurance, compliance, and product management teams can work from the same baseline of requirements and evidence expectations.
IoT Device Compliance and the Broader EU Cybersecurity Regulation
The work you put into RED compliance is not a sunk cost; it is the technical foundation for upcoming EU cybersecurity regulation, including the Cyber Resilience Act (CRA). It is "almost certainly" expected that the EN 18031 series will also form the basis for the harmonized horizontal standard for the CRA.
As noted in Why RED is the Blueprint for CRA Success, manufacturers will be responsible for patching vulnerabilities for years after the sale. By integrating EN 18031 controls into product design today, teams anticipate threats, streamline documentation, and build resilient solutions ready for global deployment. Furthermore, as explored in Navigating the RED and AI Act Overlap, if your radio device uses AI for mandatory security functions, it may soon face even stricter scrutiny under the AI Act.
Summary
Achieving RED compliance for your wireless devices is more than a regulatory hurdle; it is a strategic advantage. By aligning with RED Article 3.3 and utilizing the ETSI EN 18031 series, manufacturers can confidently navigate conformity assessments.
How QIMA CCLab can help you achieve your goals.
At QIMA CCLab Cybersecurity Laboratory, we support manufacturers in meeting RED requirements through:
End-to-end RED support: From mapping requirements to submitting to a Notified Body.
Documentation preparation and review: Aligning all security evidence with RED’s technical file expectations.
Accredited cybersecurity testing: Providing results that CerTrust (Notified Body ID 2806) can accept for EU Type Examination.
FAQ
What is the Radio Equipment Directive (RED)?
The Radio Equipment Directive (RED) is a regulatory framework ensuring that radio equipment placed on the EU market is safe and compliant. Along with health and safety standards, its recent Delegated Act strictly enforces cybersecurity protections, safeguarding networks, personal data, and protecting against fraud.
What types of products are covered under the RED?
The RED covers a vast array of products utilizing the radio frequency spectrum. This includes wireless devices (smartphones, laptops, smartwatches), internet-connected radio equipment, short-range devices like Wi-Fi and Bluetooth equipment, and even telecommunications terminal equipment.
How do manufacturers prove compliance with RED?
Manufacturers must create and maintain technical documentation demonstrating conformity with RED's essential requirements. While certain devices allow for self-declaration (if fully utilizing harmonised standards), products with higher risks or specific characteristics legally require the mandatory involvement of a Notified Body.
Related Articles
