What is the RED Cybersecurity Regulation?
Learn about RED (Radio Equipment Directive) cybersecurity requirements and compliance steps for EU IoT devices, plus key deadlines (mandatory from August 2025).
In recent years, cybersecurity has become an essential requirement for manufacturers of connected devices. The Radio Equipment Directive (RED) 2014/53/EU, which already defined safety and performance standards for radio devices sold in the European Union, has taken a decisive step in this direction starting in 2022.
With the introduction of Delegated Regulation (EU) 2022/30, subsequently amended by Regulation (EU) 2023/2444, three key articles of the RED were activated: 3(3)(d), (e), and (f). But what do these requirements actually mean in practice?
Essentially, every radio device (whether it is a smartphone, Wi-Fi system, Bluetooth device, or any other device with wireless functionality) must now guarantee three crucial aspects:
It must not compromise the integrity of the networks to which it connects
It must effectively protect users' personal data and privacy
It must prevent fraudulent or malicious use
In practice, manufacturers can no longer simply put devices on the market that work, but must design them from the outset with robust cybersecurity measures capable of withstanding the increasingly sophisticated attacks of today's cyber landscape.
We are increasingly witnessing a paradigm shift in the European Union: cybersecurity is no longer an optional feature or a good practice to follow when possible.
It has become a mandatory requirement for anyone who wants to sell radio devices in the European Union.
From RF to Cyber: A necessary evolution
When the RED Directive was first introduced, its main focus was to ensure that radio devices functioned correctly in terms of RF performance and electromagnetic compatibility. But times change, and so do threats.
Delegated Act (EU) 2022/30 marked a turning point, explicitly extending the application of Articles 3(3)(d), (e), and (f) to certain categories of devices.
What does this mean in practice? If your product uses radio technologies (whether it is a home router, a smartwatch, or an industrial sensor), it must be designed with three fundamental pillars in mind:
Network protection: the device must not behave like a digital "bad neighbor." No Denial-of-Service attacks, no excessive consumption of network resources. It must be a respectful citizen of the digital ecosystem in which it operates.
Data and privacy protection: any personal information that passes through the device (passwords, location data, health metrics) must be protected against unauthorized access or data leaks.
Fraud prevention: the device must ensure that the software is authentic and intact, preventing tampering or malicious replacement.
Together, these three requirements cover the famous CIA triad of cybersecurity: Confidentiality, Integrity and Availability.
This applies not only to data traveling over the network, but also to data stored on the device and its secure operation within the network infrastructure.
Cyber security is a legal obligation
The EU's goal is to ensure that radio equipment is designed and manufactured to withstand modern cyber threats. It is no longer acceptable to place vulnerable devices on the market that are easy targets for hackers, malware, interception, or man-in-the-middle attacks.
Let's look at some examples
A wireless router must implement robust firewalls and strong authentication protocols.
A smart meter must encrypt the consumption data it transmits.
A connected drone needs secure firmware update mechanisms.
A fitness tracker that collects health data must protect this sensitive information with the utmost care.
These are just a few examples to illustrate the importance of this regulation for any device that communicates data via radio frequencies.
Particular attention is paid to personal data, as any device that processes personal information or traffic data automatically falls under the umbrella of Article 3(3)(e). And in the IoT era, this includes virtually everything that connects.
The good news is that manufacturers are not left alone to navigate these waters. RED requirements align with established international standards such as ETSI EN 303 645 for consumer IoT devices and IEC 62443 for industrial devices. Those who already follow these guidelines have a head start.
Designing devices without considering network protection, data privacy, and fraud prevention means violating European regulations. Cybersecurity must be integrated from the earliest stages of design (the so-called "secure-by-design" approach) and not added as an afterthought.
In an increasingly connected and vulnerable market, the RED has raised the bar. And it has raised it for everyone.
The RED cybersecurity rules apply to a wide range of connected radio equipment. Any device that uses wireless communication (radio, Bluetooth, Wi-Fi, cellular, etc.) and is capable of connecting (directly or indirectly) to the internet is covered. Products typically covered include:
Manufacturers should map their products against these categories. If your device can process personal or financial information over a radio network, the privacy/fraud requirements apply.
Note that there are some exceptions (e.g., equipment already covered by other EU cybersecurity regimes), but in general, most wireless products connected to the internet must comply.
It's time to become cybersecurity compliant
The new RED cybersecurity requirements represent a turning point for anyone manufacturing wireless devices for the European market. Every radio device must demonstrate that it meets strict standards for network, data, and fraud protection.
Unfortunately, this is not a simple bureaucratic update. It requires constant commitment to conducting in-depth risk assessments for each product, adopting internationally recognized safety standards, and preparing detailed and verifiable technical documentation.
It is a task that requires many specific skills, time, and resources. The most important advice we can give? Start taking inventory of your product portfolio right away, identify existing security gaps, and plan how to align yourself with EN 303 645 and EN 18031 standards.
We understand that navigating these new regulations can seem like a daunting task, especially if cybersecurity is not your company's core business. That's why we exist. Our team has made compliance with European requirements its mission.
We know every detail of this RED regulation, we know how to interpret the technical standards and, above all, we know how to translate all this into concrete and manageable actions for your company.
Whether you need support with risk assessments, advice on technical documentation, or comprehensive guidance through the entire compliance process, we are here to make the journey less complicated and more secure.
Interactive Guide: An in-app AI coach interprets EN 18031 clauses in real time, explains what evidence is required, and suggests best-practice checks—no external consultant required.
Smart Templates and Lists: Pre-built worksheets, clause by clause, auto-populate with your product data, turning hours of manual mapping into minutes.
Risk Assessment Engine: Upload architecture diagrams or firmware binaries; the platform auto-generates a threat model and risk register that you can refine with a few clicks.
One-Click Documentation: Instantly export EU-compliant risk reports and Declarations of Conformity (DoCs) ready for CE marking, all stored in a single dashboard for easy version control.
Continuous Compliance Monitor: Git-integrated tracking flags security impacts of firmware or hardware changes, keeping every release audit-ready without human intervention.
By automating the heavy lifting, Red Comply cuts compliance time and cost, letting your team focus on innovation, not paperwork.
Visit redcomply.com or contact us directly to discover how we can turn a regulatory challenge into an opportunity to strengthen your product safety and customer trust. Because compliance doesn't have to be a headache!