In 2025, a German IoT company building low-power connected devices engaged Oxeltech to bring their product into compliance with the EU Radio Equipment Directive (RED) Delegated Act 2022/30, which mandates cybersecurity for internet-connected radio devices from 1 August 2025.
The Product
- MCU: STM32F4 series
- Connectivity: External WiFi module via UART/SPI
- Functions: Periodic sensor data upload to the cloud and settings via a mobile app
- Power Source: Battery-powered, optimized for long use in the field
The device was functional and sold already worldwide but lacked cybersecurity features required for RED compliance, such as secure communication, authenticated access, and protected firmware updates.
Compliance Risks Identified
Using ETSI EN 303 645 as our benchmark (commonly used to meet RED Articles 3(3)(d), (e), and (f)), we conducted a technical gap analysis. We identified several vulnerabilities:
| ETSI Clause | Finding | Risk |
| 5.1 | Same default credentials on all units | Easy remote takeover |
| 5.3 & 5.4 | No secure OTA update process | Firmware tampering risk |
| 5.6 | Debug interfaces exposed via WiFi | Attack surface for remote exploits |
| 5.7 | Plain HTTP communication | Data interception, man-in-the-middle attacks |
| 5.8 | No vulnerability disclosure process | Non-conformity in regulatory audit |
Additionally, the product had no documented security lifecycle policy, which is a requirement for RED technical documentation.
Oxeltech’s Solution
We delivered a full RED Cybersecurity Compliance Program tailored to STM32-based connected hardware.
1. Security Architecture and Implementation
- Integrated mbedTLS for secure HTTPS communication between the STM32 and the backend server
- Developed a lightweight, secure OTA process with:
- Firmware signature verification
- Fallback and rollback safety
- STM32 SBSFU (Secure Boot and Secure Firmware Update) as the bootloader
- Replaced default credentials with unique keys provisioned per device at manufacturing
- Hardened the firmware to disable debug ports and unnecessary services over the WiFi interface
- Designed a secure pairing protocol between the device and the companion mobile app
2. Documentation and CE Preparation
- Created a risk assessment report aligned with RED Annex I clauses
- Mapped all implemented controls to ETSI EN 303 645
- Delivered a structured technical file including diagrams, firmware architecture, and compliance justifications
Result: Security Without Hardware Redesign
- ✅ Full RED Cyber DA alignment using ETSI EN 303 645
- ✅ No changes to hardware or PCB layout
- ✅ Maintained low-power operation and flash budget
- ✅ Client ready to update CE Declaration of Conformity before the deadline
- ✅ Embedded team trained to maintain compliance in future releases
A Note on ESP32 Devices
While this project used STM32 with an external WiFi module, Oxeltech also supports ESP32-based IoT devicesfor RED Cybersecurity compliance. ESP32 platforms offer built-in connectivity and hardware support for secure boot, TLS, and OTA, but they still require secure configuration and proper documentation to meet RED Cyber DA requirements.
Whether you use STM32, ESP32, nordic nRF52 or other MCUs for your connected device, RED compliance is not optional. We help you implement the security stack needed to meet the new EU regulations with minimal engineering disruption.
About Oxeltech
Oxeltech supports product teams in building and securing connected devices using STM32, ESP32, nRF52 and other MCUs. We specialize in low-power wireless IoT hardware, embedded firmware, and RED Cyber DA compliance. From secure communication to OTA and CE documentation, we help your device meet EU cybersecurity requirements efficiently.
Comply Your Device for RED Cyber DA
If you’re building or selling an IoT product in EU with WiFi, BLE, or cellular connectivity, now is the time to prepare for RED Cybersecurity enforcement.
Book a free initial consultation to assess your device and avoid regulatory fines.
