From 1 August 2025, the EU’s Radio Equipment Directive (RED) will enforce mandatory cybersecurity requirements for all internet-connected radio devices. This change affects nearly every manufacturer selling connected products, including those using WiFi, Bluetooth, or cellular technologies.
What’s Changing?
The RED Delegated Regulation (EU) 2022/30 activates Articles 3(3)(d), (e), and (f) of the directive. These articles introduce three new obligations:
- Protection of network communication
- Protection of personal data
- Protection against unauthorized use
If your device connects to the internet and uses radio (e.g. WiFi, BLE, cellular), it must now meet concrete cybersecurity expectations to retain CE marking. Compliance is no longer optional.
Image Source: Egnyte
Which Devices are Affected?
- IoT sensors and nodes
- Smart home devices
- Wearables
- Connected medical or industrial devices
- Gateways and embedded modules using wireless links
If your product is already CE-certified, you still need to update your technical documentation and demonstrate compliance with the new cybersecurity scope.
What are the Risks of Ignoring RED Cyber DA?
- Market access denied: Customs or Notified Bodies may block non-compliant shipments.
- Liability and recalls: Security incidents tied to non-compliant devices can trigger fines or legal action.
- Loss of customer trust: Enterprise buyers are increasingly security-aware and demand proof of conformance.
What does Compliance Involve?
While the RED doesn’t prescribe specific technologies, the EU refers to ETSI EN 303 645 as a baseline standard. Compliance generally includes:
- Encrypted communication (e.g. TLS)
- Secure boot and verified firmware updates
- Unique device credentials (no shared passwords)
- Restriction of debug access
- Documented vulnerability management process
Can Existing Products be Made Compliant?
In many cases, yes. Compliance can be achieved through firmware changes, secure configuration, and proper documentation — without redesigning the hardware.
At Oxeltech, we help product teams retrofit security features into existing devices and prepare technical documentation for CE and RED Cyber DA declarations. In one case, we enabled full RED compliance for a device using STM32 and external WiFi, all without changing the PCB.
Planning to sell in the EU after July 2025?
We offer a free initial consultation to evaluate your RED Cyber DA readiness.
