New requirements of the Radio Equipment Directive (RED) with regard to cyber security

Since 2014 the Radio Equipment Directive 2014/53/EU, abbreviated RED, regulates the making available of radio equipment on the market. A recently published legal act now specifies contents of the Directive with regard to the topics (Cyber)-security and data protection.

This overview intends to explain the motivation of the European Commission as well as some content-related aspects of the legal act.
 

Considerations of the Commission

On a global scale the 5G-technology is on the rise and is most likely going to affect the daily routine within the European Union. Despite all advantages of the technology the dispersion of the standard also endangers cybersecurity. In particular, machines that can communicate via the Internet using a wireless network connection fall under the Radio Equipment Directive and are therefore also exposed to such a threat.

So far, the essential requirements of the Directive have not referred to such equipment connected to the internet. Due to the internet-readiness, this kind of asset is exposed to a certain fraud risk, which is to be reduced via a corresponding adjustment of the requirements. Therefore the EU-Commission saw an urge to “re-sharpen” article 3 of the RED.
 

Content of the legal act

The Commission published the Regulation in the EU Official Journal “supplementing Directive 2014/53/EU (…) with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive.”¹

The Radio Equipment Directive may grant the Commission the authority to state via delegated legal acts which “categories or classes of radio equipment” are covered in the range of article 3.

A legal act of that kind is Regulation 2022/30: it determines that “internet-connected radio equipment” is also covered by the requirements.

In a broader sense, e.g., internet-connected machinery may not exert any “harm to the network or its functioning or misuse of network resources”, “support features for ensuring protection from fraud” and guarantee the protection of person-related data.

Of course, a machine only has to legally fulfil the cybersecurity requirements of the RED if the machine has a radio interface and therefore falls under the Radio Equipment Directive as radio equipment itself. If a machine only has wired interfaces, it is not radio equipment in this case and is therefore not covered by the RED. The other relevant regulations then apply, such as the Machinery Directive and the EMC Directive, and in future also the new Machinery Regulation and, if applicable, the new Cyber Resilience Act.
 

Effective date and further information

According to the Commission’s information the Regulation will be effective from the 20th day of publication in the Official Journal of the EU (02/01/2022), from 2025-08-01 all products concerned will need to fulfil the new requirements.²

Harmonised standards for the security requirements

The European Standardisation Organisations (ESO) CEN/CENELEC announced after the publication of Regulation 2022/30 that they would develop relevant standards for these requirements. The joint technical committee JTC13 (Cybersecurity and Data Protection) developed the following standards in response: 

• EN 18031-1:2024 Common security requirements for radio equipment - Part 1: Internet connected radio equipment
• EN 18031-2:2024 Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
• EN 18031-3:2024 Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value

According to the website of the publisher CEN/CENELEC, these standards were ratified on 1 August 2024, the following weeks the final versions will be delivered to the national members for publication. Users will then be able to purchase the respective full texts of the standards from there.

To list the standards in the EU Official Journal according to the Radio Equipment Directive, the standards were assessed by so-called HAS consultants (experts from the auditing firm EY). However, this assessment of the three parts by the responsible consultants was negative; instead, they advised the responsible technical committee to reformulate the content. It therefore remained to be seen whether the standards would be published in the Official Journal of the EU at all or only with restrictions.³

Publication in the EU Official Journal for the Radio Equipment Directive

The final publication in the EU Official Journal took place on 30 January 2025 as part of Implementing Decision (EU) 2025/138. However, all 3 standards were included with numerous restrictions as part of this decision. For example, all 3 standards were provided with the note that "the sections named “rationale” and “guidance” within the harmonised standards do not confer a presumption of conformity" with the corresponding requirements of the Radio Equipment Directive 2014/53/EU. Furthermore, this restriction applies to all editions of the standard "if, by applying its clauses 6.2.5.1 and 6.2.5.2, the user is allowed not to set and use any password."

Additional information from the RED expert group

In June 2025, the EU Commission's ‘RED Experts Group’ published further information on the restrictions of the EN 18031 series in the EU Official Journal. These notes can be viewed publicly on the relevant pages of the expert group and list the reasons for publishing the restrictions in the EU Official Journal.

In addition, the expert group document provides answers for each of the restrictions whether manufacturers must involve an independent body for the conformity assessment procedure when applying the restricted sections. This is denied for all restrictions, stating the reasons, with the sole exception of section 6.3.2.4 of EN 18031-3: For this section, it is assumed that the evaluation criteria listed do not adequately address the relevant authentication risks, therefore conformity assessment by an independent body is mandatory.
 

Link to the delegated Regulation

Interested readers can access and download the full text of the regulation via the following link:

Commission Delegated Regulation (EU) 2022/30 supplementing Directive 2014/53/EU