The Radio Equipment Directive Explained: Everything You Need to Know About RED Cybersecurity Requirements
RED Cybersecurity Requirements: From Article 3.3 to CE Marking
If you sell a radio-enabled product in the EU, you are already under the Radio Equipment Directive (RED). That part is not new. What changed in August 2025 is that cybersecurity became a legal requirement, not just a recommendation. The RED-DA (the Delegated Act) formally adopted as Regulation (EU) 2022/30 activated the cybersecurity provisions of Article 3.3, ending years of voluntary compliance and turning aspirational goals into enforceable obligations. For manufacturers, this is not a minor administrative update. It affects product design, testing, documentation, and market access. Getting it wrong means the CE mark cannot legally be applied, which means the product cannot be legally sold in the EU.
What the Radio Equipment Directive Actually Covers
The Radio Equipment Directive (RED) 2014/53/EU sets essential requirements for any product that uses the radio frequency spectrum, intentionally or otherwise. Mobile phones, Wi-Fi routers, Bluetooth trackers, smart home sensors, GPS receivers, baby monitors, wearables: if it communicates wirelessly and ships to the EU market, it almost certainly falls under RED. The directive was never purely about RF safety. It always included health, electromagnetic compatibility, and spectrum efficiency. But Article 3.3 gave the European Commission the authority to extend those requirements further, and the RED-DA used that power to bring wireless device security into scope for the first time as a binding obligation.
The scope matters. The Delegated Act applies specifically to internet-connected radio equipment. A standalone Bluetooth remote with no network connectivity might sit outside this scope; a Wi-Fi-enabled thermostat almost certainly does not. Manufacturers need to verify carefully whether their product qualifies before assuming exemption, as our earlier piece on Adapting to Articles 3.3(d), (e), and (f) covers in detail.
Article 3.3 and the Three Cybersecurity Obligations
Article 3.3 of the RED gives the Commission authority to impose additional essential requirements on specific product categories. The RED cybersecurity requirements activated through the RED-DA invoke three of these clauses for internet-connected radio equipment.
Article 3.3(d) requires that radio equipment does not harm the network or impair its operation. Devices must not become vectors for network attacks, must behave predictably under stress, and must not broadcast in ways that degrade shared infrastructure.
Article 3.3(e) addresses safeguards for personal data and privacy. This clause goes further than basic encryption. Devices must protect user data in transit and at rest, limit data collection to what is strictly necessary, and handle credentials securely throughout their lifecycle.
Article 3.3(f) targets fraud prevention. Radio equipment must include protections that prevent it from being used to facilitate fraud against users or third parties, a clause that becomes particularly relevant for payment-capable devices, voice assistants, and connected financial equipment.
These three obligations apply in parallel. A device cannot satisfy 3.3(d) while ignoring 3.3(e), all three pillars must be addressed. As we covered in our article on the Challenges in Implementing RED's Cybersecurity Requirements, the interaction between these clauses is exactly where most manufacturers run into trouble.
How EN 18031 and Harmonised Standards Bridge the Gap
Knowing what you must achieve is only part of the problem. Knowing how to demonstrate you've achieved it is the other part, and that's where harmonised standards become essential.
The ETSI cybersecurity standards designated as EN 18031 are the Commission-mandated harmonised standards for RED cybersecurity. EN 18031-1 covers network protection (aligned with 3.3(d)), EN 18031-2 addresses personal data and privacy (3.3(e)), and EN 18031-3 handles fraud prevention (3.3(f)). Together they translate the legal clauses of the RED-DA into specific, testable technical requirements.
The practical importance of this is real. Under EU law, products that comply with a harmonised standard benefit from a "presumption of conformity" with the corresponding essential requirements. Demonstrating EN 18031 compliance is the most direct route to satisfying Article 3.3 without a Notified Body having to adjudicate the manufacturer's own interpretation of the law. As we discussed in our piece on how EN 18031 shapes wireless product security, the standard is not optional reading for anyone going through conformity assessment.
The RED testing requirements that flow from EN 18031 are specific. They cover access control, software update mechanisms, secure boot, data minimisation, credential storage, and more. Manufacturers who discover these requirements only at the pre-certification stage face the same outcome repeatedly: redesign. The test doesn't fail the documentation, it fails the product.
Conformity Assessment, CE Marking, and the Documentation Requirement
Reaching the end of a development cycle without a compliance strategy is costly. The structure of RED compliance requires manufacturers to work on two things simultaneously: the technical security work and the documentation that proves it was done properly.
For most internet-connected radio equipment, conformity assessment under RED requires either self-declaration (Module A) or involvement of a Notified Body via EU-Type Examination (Module B). Module A is only available when the manufacturer has fully applied the relevant harmonised standards. Where no harmonised standard applies, or where the product falls into a category where Module A is not permitted, Notified Body involvement is mandatory.
RED technical documentation is not a formality. It is the evidence file that justifies the CE mark, and it must contain design specifications, a list of applicable standards with their coverage, test results, risk assessments, and the Declaration of Conformity. An incomplete or internally inconsistent documentation package is the same as no package at all from a market surveillance perspective.
The CE marking RED requirement is the final gate: only once conformity is established and fully documented can the mark be applied. Applying it early creates legal exposure across the entire supply chain; manufacturers, importers, and distributors all carry responsibility.
It is also worth noting that this work does not become obsolete quickly. As we explored in Why RED is the Blueprint for CRA Success, the technical foundations built for IoT device compliance under RED map closely onto what the Cyber Resilience Act will require. For devices incorporating AI, the picture becomes more complex still, as outlined in our overview of the RED and AI Act overlap. Treating RED compliance as a foundation, rather than a deadline to clear and forget, is the more practical long-term position.
Summary
Meeting RED compliance is not about passing a single test and moving on. The Radio Equipment Directive's cybersecurity requirements (across Article 3.3(d), (e), and (f)) demand security that is designed in from the start, verified against EN 18031 and the relevant harmonised standards, documented properly, and capable of supporting ongoing vulnerability management throughout the product lifecycle. Manufacturers who approach this methodically avoid the expensive corrections that come from treating it as an afterthought.
How QIMA CCLab can help you achieve your goals
At QIMA CCLab Cybersecurity Laboratory, we support manufacturers at every stage of meeting RED cybersecurity requirements:
Scope and gap analysis: We help you determine whether your product falls under the RED-DA, which Article 3.3 clauses apply, and how far your current design is from compliance.
Testing against EN 18031 and ETSI cybersecurity standards: Our laboratory is qualified by the RED Notified Body CerTrust (ID: 2806), meaning our test results can be accepted directly for EU-Type Examination.
RED technical documentation preparation: We support the preparation and review of the full security documentation required for conformity assessment, from test reports to the Declaration of Conformity.
End-to-end RED support: From initial consultation through Notified Body submission, we manage the full certification lifecycle so manufacturers don't lose time navigating unfamiliar processes.
FAQ
What is the Radio Equipment Directive (RED)?
The Radio Equipment Directive (2014/53/EU) is the EU regulatory framework that sets essential requirements for radio equipment placed on the European market. Beyond safety and electromagnetic compatibility, its Delegated Act (Regulation EU 2022/30) now requires internet-connected radio equipment to meet binding cybersecurity obligations under Article 3.3.
Which products are subject to the RED cybersecurity requirements?
The RED-DA cybersecurity requirements apply to internet-connected radio equipment, childcare radio equipment, and wearable radio equipment. This includes a broad range of products — smart home devices, Wi-Fi routers, wearables, connected health devices, and more. Manufacturers should verify scope carefully, particularly where internet connectivity is optional or indirect.
What are the Article 3.3 cybersecurity requirements?
Article 3.3(d) requires that devices protect networks from harm. Article 3.3(e) requires safeguards for personal data and privacy. Article 3.3(f) requires protection against fraud. All three apply simultaneously to in-scope devices, and demonstrating compliance with each is necessary for CE marking.
How does EN 18031 help with RED compliance?
The EN 18031 series is the set of harmonised standards mandated for RED cybersecurity. Products that comply with EN 18031-1, EN 18031-2, and EN 18031-3 benefit from a presumption of conformity with Article 3.3(d), (e), and (f) respectively. This is the most direct route through conformity assessment.
Do I need a Notified Body for RED cybersecurity certification?
It depends on whether you have fully applied the relevant harmonised standards. If EN 18031 applies to your product and you can demonstrate complete compliance, self-declaration (Module A) may be available. If no harmonised standard applies, or if your product falls into a mandatory third-party category, EU-Type Examination by a Notified Body is required.
What technical documentation does RED require?
Manufacturers must prepare and maintain a technical file that includes design specifications, test reports, a list of applicable standards and how they were applied, risk assessments, and the Declaration of Conformity. This documentation must remain available for market surveillance authorities for a minimum of ten years after the product is placed on the market.
When did the RED cybersecurity requirements become mandatory?
The cybersecurity provisions of the RED Delegated Act became mandatory on 1 August 2025. Products placed on the EU market after that date must comply with Article 3.3(d), (e), and (f), or cannot legally bear the CE mark.
Can manufacturers self-declare conformity with RED cybersecurity requirements?
Yes, if they have fully applied the relevant harmonised standards (EN 18031). Self-declaration through the Internal Production Control procedure (Module A) is permitted in those circumstances. Where no harmonised standard is available or the product category requires third-party assessment, a Notified Body must be involved. CCLab's laboratory is qualified by CerTrust (Notified Body ID 2806) to provide testing results accepted for EU-Type Examination.
Related Articles
