Skip to content

IoT Cybersecurity

RED Cybersecurity Requirements Take Effect August 2025


Most IoT devices will soon face strict and mandatory cybersecurity rules across the European Union.
The RED Directive introduces these requirements to improve product security and protect consumers.
Non-compliance has serious consequences.
You risk losing access to EU markets through enforced sales bans, withdrawal orders for products already sold, and financial penalties imposed by national authorities.


New Legal Obligations

The Radio Equipment Directive 2014/53/EU has set essential requirements for Radio, safety and EMC for years.
With Delegated Regulation 2022/30, the scope has now been extended to include cybersecurity.
Three core areas will affect your product:

  • Article 3.3(d) requires you to protect networks against misuse and disruption.
  • Article 3.3(e) demands strong safeguards to protect personal data and privacy.
  • Article 3.3(f) requires features that prevent fraud and secure transactions.

These obligations apply whether you design smart home devices, wearables, industrial sensors, or payment-enabled equipment.


Who Must Comply

You need to act if your product:

  • Connects to the internet, even indirectly through a gateway.
  • Processes personal, traffic, or location data, as defined under GDPR.
  • Toys and childcare products
  • Handles any form of payment, monetary value, or virtual currency.

Most IoT products in the market today fall into at least one of these categories, so assuming your device is exempt can be a costly mistake.


Devices That Are Excluded

Some products are excluded from the RED cybersecurity requirements because they already follow their own sector regulations.
If you manufacture any of these devices, you must comply with separate rules:

  • Medical devices regulated under Regulations 2017/745 and 2017/746.
  • Civil aviation equipment covered by Regulation 2018/1139.
  • Automotive devices regulated by Regulation 2019/2144.
  • Electronic road toll systems under Regulation 2019/520.

Even though these devices do not fall under the new RED cybersecurity articles, they still have their own strict cybersecurity requirements.
If you work in these sectors, be sure to reference the relevant frameworks and confirm that your product does not also fall into RED scope through additional functionalities.


Three Areas You Must Address

To comply, your design and documentation must show that you:

  • Control access to your device and its interfaces.
  • Keep software up to date and validate its integrity.
  • Encrypt sensitive data, whether stored locally or sent over networks.
  • Log security events and provide evidence of resilience against misuse attempts.

If you skip or limit any of these measures, you must clearly justify why.
In many cases, you will need to involve a notified body to review your decisions before placing the product on the market.


EN 18031 Standards

The European Committee for Standardization released three standards to help you prove compliance:

  • EN 18031-1 defines requirements to protect networks and connected systems.
  • EN 18031-2 addresses personal data protection measures.
  • EN 18031-3 covers secure transactions and fraud prevention.

Applying these standards allows you to demonstrate conformity and simplify your technical documentation.
If your device does not meet certain controls, like password management or secure software updates, you cannot rely on the standards alone.
In those cases, you must prepare detailed risk justifications and coordinate with a notified body.


Five Actions You Need Now

Decide which standards apply to your product.
This first step takes about 2 to 3 weeks, depending on how many product variants you need to assess.

Prepare a risk and threat analysis.
Expect 2 to 4 weeks to complete this, especially if you use methodologies like STRIDE or the ETSI process for a thorough review.

List all external interfaces and assets.
Allocate 1 to 2 weeks to map out network connections, user interfaces, physical ports, and any APIs or services your product exposes.

Develop clear and structured technical documentation.
This stage usually requires 2 to 5 weeks, as you must include justifications, applicability decisions, and supporting evidence.

Plan and schedule testing activities.
Functional assessments and documentation reviews can take 3 to 6 weeks, depending on your product complexity and whether you require third-party labs.


Mistakes That Delay Market Entry

Many companies wait until the last minute, assuming a software update process is enough to satisfy the RED requirements.
Others rely on examples in the standards instead of creating their own justifications.
These shortcuts often lead to delayed launches, additional reviews, and lost sales opportunities.


Support Available

I guide IoT teams through each step of the compliance process.
You get clarity about which EN 18031 requirements apply to your product and how to prepare the technical documentation that market authorities expect.
This support saves you time and helps you avoid last-minute obstacles that could block your CE marking.


Next Step to Secure Your CE Mark

Book a call today.
Gain certainty about the RED cybersecurity requirements and learn what your next steps should be.
Protect your access to the EU market and keep your launch plans on track.