Technical Blog | Granite River Labs | United States

EU RED Cybersecurity Compliance: Preparing for August 1 2025

Written by GRL Team | Apr 16, 2025 2:49:33 AM

It’s official: beginning 1 August 2025, all radio equipment placed on the European Union (EU) market that falls within the scope of the Delegated Act (2022/30) to the Radio Equipment Directive (2014/53/EU) must comply with enhanced cybersecurity requirements to continue with CE marking. These measures are designed to strengthen protection of personal data, ensure network integrity, and prevent fraudulent activity in an increasingly connected digital landscape. Specific compliance exceptions are permitted if manufacturers can meet requirements defined in harmonized standards EN 18031-1, EN 18031-2 and EN 18031-3, as applicable. 

Originally scheduled for enforcement on 1 August 2024, the deadline was extended by one year to allow additional time for harmonized standards development and implementation planning. However, manufacturers are strongly encouraged to move quickly. Preparing now for compliance will help mitigate the risk of costly late-stage redesigns and ensure a smoother entry into the evolving EU regulatory environment.

Which devices fall under EU RED cybersecurity scope?

It’s important to note that not all radio devices fall under EU RED. Cybersecurity compliance is only required for the following devices:

  1. Internet-connected consumer electronics. E.g. mobile phones, tablets, cameras, and smart TVs

  2. IoT-enabled devices. E.g. smart home hubs, wearable tech, and connected toys

  3. Toys, Childcare and safety equipment. E.g. Baby monitors and GPS trackers

  4. Industrial radio equipment and wireless automotive electronic sub-assemblies that connect to networks

  5. Any device capable of radio communication and internet connectivity

The following devices may be excluded completely or receive exceptions from certain EU RED articles by virtue of being governed by regulations within their respective industries.

  • Completely excluded: Medical devices

  • Excluded from Articles 3(3)(e) and (f): 
    • Aviation, motor vehicles, and electronic road toll systems
    • Offline-only radio devices, like DAB radios or radar units, which are not internet-connected

Manufacturers who are still unsure about whether their devices fall under the EU RED cybersecurity umbrella may refer to the official European Commission website1 or consult GRL cybersecurity experts for more information.

EU RED compliance for existing devices

Devices that are already circulating within the EU market can be used until the end of their lifespan provided that there are no specifications directly related to potential security concerns. All individual radio products placed on the EU market after 1 August will have to comply with the latest requirements, regardless of whether they are part of a pre-existing product series.

How EU RED update addresses cybersecurity threats

With everyday devices such as smartphones, industrial IoT modules, and even toys entering the radio ecosystem, cybersecurity risks are higher than ever. In response, the European Commission has activated Articles 3(3)(d), (e), and (f) of the Radio Equipment Directive (RED):

Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service. 

Example: Implementing data rate throttling and backoff strategies during firmware updates or error recovery to help avoid flooding networks. Note that this article can be fulfilled by meeting requirements of EN 18031-1.

Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected. 

Example: Protect user privacy by encrypting cloud communications, minimizing unnecessary data collection, and securing stored data. Note that this article can be fulfilled by meeting requirements of EN 18031-3. 

Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud.   

Example: Deployment of anti-fraud mechanisms such as secure boot, cryptographic firmware signing, and user authentication can prevent devices from being exploited for malicious purposes. Note that this article can be fulfilled by meeting requirements of EN 18031-3.

Internet-Connected vs. Offline Devices

Radio devices may be exempted from certain articles of EU RED depending on whether or not they are capable of internet connection:

  • Internet-connected devices must support encryption, secure authentication mechanisms, and secure software updates to guard against fraud and data breaches.

  • Non-internet-connected radio devices are largely exempt from Articles 3(3)(e) and (f). However, compliance with Article 3(3)(d) may be required for network integrity if they interact with other devices or systems.

Password-less devices

Devices without user-settable credentials—such as Bluetooth beacons or passive sensors—are not exempt from the cybersecurity requirements under EU RED. In these cases, manufacturers must implement alternative technical safeguards to demonstrate that the device cannot be exploited or reprogrammed for malicious purposes, even in the absence of a traditional password. Self-declaration of CE marking for such devices are not allowed, and will require involvement from a notified body instead.

Examples of such safeguards include:

  • Unique device identifiers for pairing or firmware control

  • Pre-configured secure defaults that cannot be easily exploited

  • Secure boot mechanisms or restricted firmware update pathways

The race to August 1 EU RED compliance has begun

Meet higher bars of safety, privacy, and network resilience with ease by investing in secure product development and early testing. Granite River Labs offers end-to-end cybersecurity testing solutions that will enable you to trade freely within the EU with a peace of mind.

 

References

1. Radio Equipment Directive. European Commission.
View full post