RED cybersecurity requirements and Compliance with EN 18031-1, EN 18031-2 and EN 18031-3

From 1st August 2025, all wireless devices placed on the EU market must comply with the Radio Equipment Directive (RED) cybersecurity requirements.

What are the RED cybersecurity requirements?

More and more products are now employing radio technology in their applications. Many of these devices connected to the internet may face security risks, making it vulnerable to potential attacks and exploitation. 

To mitigate these risks, the European Commission adopted a Delegated Act of the Radio Equipment Directive activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy, and protection of financial transactions.  

• Article 3.3 (d) - radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service.
• Article 3.3 (e) - radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected.
• Article 3.3 (f) - radio equipment supports certain features ensuring protection from fraud.
  

  ---

which devices are covered by THE RED cybersecurity requirements?

1. Equipment that uses radio technology for communication over the internet such as mobile phones, tablets, electronic cameras, telecommunication equipment 
2. IoT devices that can transmit data over the internet
3. Toys and childcare equipment such as baby monitors
4. Wearable devices such as smartwatches or fitness trackers
5. Connected industrial devices
   
   
   
   

Plan your RED Cybersecurity compliance roadmap with TÜV SÜD.  Contact us now.

The Role of EN 18031-1, EN 18031-2 and EN 18031-3 in RED Cybersecurity Compliance

The EN 18031 series of standards is essential for achieving full RED Cybersecurity compliance for radio equipment. These standards guide manufacturers in implementing robust cybersecurity measures and protecting users and networks from potential threats.

• EN 18031-1 specifies the general cybersecurity requirements for radio devices, ensuring that all equipment is secure, resilient, and compliant with the RED Cybersecurity framework.
• EN 18031-2 focuses on privacy and data protection, providing requirements to safeguard personal and sensitive user data in line with RED Cybersecurity expectations.
• EN 18031-3 addresses protection against fraud and network misuse, establishing technical measures to prevent exploitation of radio equipment and maintain network integrity under the RED Cybersecurity rules.

By following EN 18031-1, EN 18031-2, and EN 18031-3, manufacturers can design, test, and certify their radio equipment with confidence, ensuring compliance with all RED Cybersecurity requirements and enhancing trust with end-users. 

What is the deadline to comply with red cybersecurity requirements?

how can TÜV SÜD help you with the red cybersecurity requirements?

TÜV SÜD provides testing and evaluation services based on standards such as EN 303 645 and IEC 62443. Our laboratories can perform a variety of tests and services to prepare for the incoming regulation. We are also actively involved with the development of cybersecurity standards globally.

In addition, TÜV SÜD is an EU Notified Body for the Radio Equipment Directive. Therefore, we can support you in complying with the requirements of the Radio Equipment Directive together with other regulations and standards applicable to radio equipment and devices, including assessments aligned with EN 18031-1, EN 18031-2 and EN 18031-3

Please contact TÜV SÜD if you need more information on:

• Understanding if your radio equipment product is in the scope of RED cybersecurity.
• What are the best practices presently, such as secure-by-design 
• Understanding the present status of standardization 
• How to plan to ensure confidence in the security of your product

FAQs about RED Cybersecurity requirements