Impact on the US equipment manufacturers:
US manufacturers must ensure their radio equipment meets the new cybersecurity requirements of RED, including network protection, personal data privacy, and fraud prevention, or their products risk being banned or removed from the EU market.
Starting August 1st, 2025, cybersecurity features for the devices within EU involving radio transceivers will no longer be optional. The EU’s Radio Equipment Directive (RED 2014/53/EU) enforces essential cybersecurity requirements under Articles 3(3)(d), (e), and (f), applying to radio equipment placed on the EU market:
- Article 3(3)(d) – mandates that radio equipment must not harm networks or degrade their functioning. Devices must avoid misuse of network resources that could lead to service disruption, ensuring network availability.
- Article 3(3)(e) – requires protection of personal data and privacy of consumers. This includes protection of traffic data, location data, and any personal information processed or transmitted by wireless devices, with the essential element being protection of children’s rights.
- Article 3(3)(f) – focuses on protection from fraud, particularly for devices that enable users to transfer money, monetary value, or virtual currency. Such equipment must implement features to minimize the risk when making electronic payments.
Below are the Key Compliance Requirements Starting August 1st, 2025:
- Devices must protect user data privacy using encryption and secure authentication.
- Network integrity must be maintained to prevent unauthorized access.
- Fraud prevention features must be implemented to counteract fraudulent transactions.
- Compliance with standards EN 18031-1, EN 18031-2, and EN 18031-3 is expected, providing a structured cybersecurity framework covering secure implementation of the wireless devices, and their functionality.
Breakdown of the 3 Compliance Standards:
EN 18031-1 – Focuses on Network Integrity and Availability:
- Ensures devices do not harm or degrade network performance.
- Requires secure boot, software integrity, and encrypted communication.
- Applies to most internet-connected radio devices except some specialized equipment.
EN 18031-2 – Focuses on Consumer Data Protection and Privacy:
- Protects user personal data and privacy in radio devices.
- Targets devices like wearables, toys, and childcare equipment.
- Mandates encryption and strong access controls.
- Requires proper hardware and software security measures.
EN 18031-3 – Focuses on Preventing Fraud and Ensuring Secure Online Transactions:
- Prevents fraud in devices handling money or virtual currency.
- Enforces strong authentication and anti-tampering features.
- Applies to devices enabling financial transactions via radio.
- Stops unauthorized access and fraudulent activities.
Scope and Impact on Manufacturers:
These rules apply to all new radio equipment placed on the market post August 2025, regardless of previous availability. Products that do not comply risk removal from the EU market and penalties. Manufacturers must provide technical documentation, including test reports and risk assessments proving compliance. The focus is on embedded security from hardware to software, aligning RED with broader EU cybersecurity initiatives like the Cyber Resilience Act (CRA).
Devices Covered:
- mobile phones
- laptops
- radars
- broadcasting devices
- fitness devices
- smartwatches
- routers
- smart appliances
- In broader terms, devices with Wi-Fi, Bluetooth, GPS and/or other radio transceivers.
The directive marks a significant enhancement of the safety, privacy, and security standards for radio equipment in the EU, reflecting the digital landscape’s evolving cybersecurity challenges.
If you are ready to test the security posture of your Internet of Things (IoT) equipment, and ensure it is compliant with the new standards set by RED, NaviSec offers IoT penetration testing services, which you can learn more about using the link below:
https://navisec.io/iot-penetration-testing/
Contact NaviSec with the inquires regarding the IoT penetration testing services.
References
https://www.graniteriverlabs.com/en-us/applications/device-and-application-cybersecurity
