As of 1 August 2025, the RED Cybersecurity Delegated Act (Cyber DA) is in effect . This means all wireless products sold in the European Union must now meet mandatory cybersecurity requirements.
For hardware manufacturers, it’s a market access issue. Without compliance, your products cannot legally be sold in the EU.
This guide walks through the step-by-step process of achieving compliance so you can keep selling your devices in the European market.
Step 1: Identify if Your Product Is in Scope
The RED Cyber DA applies to any product with wireless communication.
- Bluetooth (BLE), WiFi, LTE, 5G, NFC, Zigbee, Thread, and similar.
- Examples: wearables, asset trackers, smart home hubs, medical IoT devices, industrial sensors.
If your device has a wireless interface, assume it falls under the Cyber DA unless confirmed otherwise.
Step 2: Run a Gap Analysis
Compare your current device design against the RED Cyber DA requirements.
Key areas to check:
- Data protection: Is sensitive data encrypted at rest and in transit?
- Network protection: Can your device withstand denial-of-service attempts or malware injection?
- Fraud prevention: Is there secure authentication for pairing and network access?
At this stage, many companies discover missing features that require firmware or hardware changes.
Step 3: Update Your Design
Address the gaps found in Step 2. Typical design updates include:
- Secure boot: Ensures only trusted firmware runs.
- Encryption: For both wireless communication and local data storage.
- Secure updates (OTA): Firmware must be updatable in a verified and authenticated way.
- Authentication: Strong device and user authentication mechanisms.
These requirements affect component choices, firmware architecture, and R&D processes.
Step 4: Pre-Compliance Testing
Before any external testing (if you choose it), run internal tests to catch issues early.
- Simulate peak load conditions (e.g., radio TX + motor startup).
- Test wireless pairing scenarios for security gaps.
- Perform penetration testing to identify vulnerabilities.
Catching problems here avoids expensive rework later.
Step 5: Prepare Technical Documentation
The RED Cyber DA requires detailed documentation as part of CE marking.
Include:
- Security design and architecture documents.
- Test reports and logs.
- Risk assessments.
- Evidence of encryption, authentication, and update mechanisms.
This file will be reviewed during conformity assessment.
Step 6: Conformity Assessment
This is where you officially prove your device complies. There are two main paths:
- This is the path most manufacturers take.
If you follow the harmonized standards (like EN 18031-1/-2), you can do a self-assessment. That means you keep your technical documentation in order and issue your own Declaration of Conformity. No external body needs to be involved (but Oxeltech can help if you’re unsure how to do it).
- If your product isn’t fully covered by harmonized standards, then you’ll need to work with a Notified Body to review your documentation and testing.
- Accredited labs can help with testing if you want extra assurance, but they’re not mandatory.
When this step is done, you can add the Cyber DA part to your overall CE compliance package. Together with safety, EMC, and radio requirements, this allows your product to be CE marked and placed on the EU market.
Risks of Skipping Steps
- Sales bans: Non-compliant products cannot enter the EU.
- Customs delays: Shipments blocked at borders.
- Recalls: Devices already sold may be pulled back.
- Reputation loss: Customers lose trust in your brand.
How Oxeltech Helps Hardware Manufacturers Comply
At Oxeltech, we support hardware and IoT manufacturers through the entire compliance journey:
- Running compliance gap analyses.
- Updating embedded systems for security.
- Supporting pre-compliance testing.
- Preparing technical documentation.
- Coordinating with test labs for conformity assessment.
Contact Oxeltech today to make sure your devices are compliant and ready for the EU market.
FAQ
Which devices must comply with the RED Cyber DA?
Any product with wireless connectivity, including Bluetooth, WiFi, LTE, NFC, Zigbee, and more.
Does the RED Cyber DA apply to existing CE-marked devices?
Yes. Even devices that already carry the CE mark must comply with the Cyber DA if they have wireless connectivity and are sold in the EU after August 2025.
How do I make my product compliant with RED Cyber DA?
By following a process: scope assessment, gap analysis, design updates, testing, documentation, and conformity assessment.
What are the standards behind RED Cyber DA Compliance?
The RED Cybersecurity Delegated Act builds on earlier standards such as ETSI EN 303 645, which defined baseline IoT security requirements.
However, as of 2025, the EU has published EN 18031-1, EN 18031-2 and EN 18031-3 as the harmonized standards under the RED. These are now the reference standards that manufacturers can use to demonstrate compliance with the Cyber DA.
Who certifies my product for RED Cyber DA compliance?
Manufacturers are responsible for demonstrating compliance and issuing a Declaration of Conformity (DoC). This is usually done through self-assessment by following the harmonized standards (EN 18031-1, EN 18031-2, EN 18031-3).
Do I need to involve an accredited lab or Notified Body for RED Cyber DA compliance?
Not necessarily. Manufacturers can usually demonstrate compliance by following the harmonized standards (EN 18031-1, EN 18031-2, EN 18031-3) and issuing their own Declaration of Conformity (DoC).
Accredited labs and Notified Bodies can still support with pre-compliance testing or independent evaluations, but their involvement is not mandatory unless harmonized standards do not fully cover your product or you choose to go through them for extra assurance.
Can compliance be achieved without hardware redesign?
Often yes. Features such as TLS/HTTPS, unique credentials, secure boot (depending on MCU), and OTA updates can be added through firmware. Hardware redesign may be needed only for root of trust or tamper resistance.
What happens if I ignore RED Cyber DA?
Your products may be blocked, recalled, or fined, and you cannot legally sell them in the EU. Read our blog on this topic here.
