RED 3.3 cybersecurity: mandatory since 1 August 2025

Author Hugues Orgitello Last updated 25 May 2026

News · Regulatory evolution

On 1 August 2025, Delegated Regulation (EU) 2022/30 entered into force: every connected radio product placed on the European market must now demonstrate compliance with the cybersecurity requirements 3.3(d), 3.3(e) and 3.3(f) of the RED directive 2014/53/EU. Originally scheduled for August 2024 and deferred by one year to allow the harmonised standards to be published, this activation captures almost every connected device sold in the EU.

What actually changes

Before 1 August 2025, article 3.3 of the RED directive existed on paper but was not activated: manufacturers had no obligation to demonstrate the cybersecurity of their radio products. Delegated Regulation (EU) 2022/30, adopted in October 2021, triggered three specific paragraphs:

Article 3.3(d), protection of networks against attacks originating from the equipment.
Article 3.3(e), protection of personal data and the privacy of the user and the subscriber.
Article 3.3(f), protection against fraud.

Activation was initially planned for 1 August 2024. Implementing Decision (EU) 2022/2191 granted a one-year extension to give the harmonised standards EN 18031-1, -2 and -3 time to be finalised and cited in the Official Journal of the European Union. Those standards were published in 2024 and now grant presumption of conformity to manufacturers who apply them.

Which products are in scope?

The scope is very broad: any radio equipment capable of communicating via the internet, directly or indirectly, falls within the perimeter. In practice:

Wi-Fi, Bluetooth, Zigbee, Thread, LoRa, NB-IoT, LTE-M connected devices.
IP cameras, video doorbells, smart locks.
Industrial sensors, IoT gateways, smart home equipment.
Wearables (watches, fitness trackers), connected medical devices not covered by other directives.
Connected toys (strengthened 3.3(e)).

A few specific exclusions: equipment already covered by stricter sector regulations (vehicles, MDR medical devices, aeronautical equipment) is handled under those frameworks.

The three sub-articles in practice

3.3(d): Network protection

This requirement is aimed at preventing a compromised radio device from becoming an entry point into the network it is connected to. Expected controls:

Mutual authentication of the device with the network (certificates, robust pre-shared keys).
Disabled by default of non-essential services.
Restriction of unsolicited outbound connections to the internet.
Signed and verifiable security updates, with a controlled rollback mechanism.
Logging of significant security events.

The standard EN 18031-1 details the assessment methodology.

3.3(e): Personal data protection

This requirement partly overlaps with GDPR but operates at the product level, not only at the processing level. Controls evaluated:

Encryption of sensitive communications: TLS 1.2 minimum, perfect forward secrecy recommended.
Encrypted storage of secrets (keys, passwords, authentication tokens).
Strong default passwords, the practice of an identical factory password across every unit is now banned.
Secure erasure on factory reset or end of life.
Transparent documentation of data collected (type, purpose, duration).

Normative reference: EN 18031-2.

3.3(f): Fraud protection

More narrowly targeted, this requirement applies to equipment that performs or facilitates financial transactions, payment terminals, banking equipment, connected devices capable of in-app purchases. Controls evaluated:

Strong authentication (multi-factor) for financial operations.
Integrity and non-repudiation of transactions.
Replay protection (nonces, signed timestamps).
Audit trail of financial operations.

Normative reference: EN 18031-3.

Three assurance levels

The EN 18031 standards introduce a tiered evaluation logic, inspired by Common Criteria but simplified:

Level	Who assesses	When to apply
Basic	Manufacturer self-assessment	Low-risk consumer IoT products
Substantial	Accredited independent third party	Products handling sensitive data or in industrial environments
High	Third party plus penetration testing	Critical products, infrastructure, payment

The level chosen depends on the risk analysis carried out by the manufacturer and documented in the technical file. For the vast majority of consumer IoT products, the basic level is considered sufficient, but it still requires a formal analysis, not a simple box-tick.

Practical impact for manufacturers

In concrete terms, here is what needs to be added to the RED Annex V technical file:

Documented cybersecurity risk analysis, identifying assets to protect, threats and chosen controls.
Security architecture diagram, components, data flows, trust boundaries.
Inventory of controls implemented and their mapping to the applicable 3.3(d)(e)(f) articles.
Assessment report to EN 18031-1/-2/-3 at the chosen assurance level.
Maintenance plan, update policy, support duration, handling of vulnerabilities discovered after placing on the market.
User documentation specifying security best practices (changing the default password, enabling updates, etc.).

Observed cost ranges

Assurance level	Indicative cost	Lead time
Basic (in-house or with external support)	€0 to €8,000	4 to 8 weeks
Substantial (third-party laboratory)	€15,000 to €40,000	8 to 16 weeks
High (with pentest)	€40,000 to €100,000+	16 to 24 weeks

These ranges add to the usual cost of a RED campaign (radio EMC, spectrum, electrical safety).

Transition regime

The rule is clear: products placed on the market before 1 August 2025 under the old RED regime remain valid and can continue to be distributed without renewing their certification. But from 1 August 2025 onwards, any first placing on the market of a unit, including a product identical in design to an older model, must be covered by a declaration of conformity that includes article 3.3.

Watch for the trap: a substantial modification (firmware change, addition of a radio function, change of radio component) triggers a new placing on the market. Compliance with 3.3 then becomes mandatory even for a product whose first version pre-existed.

Limited laboratory capacity

This is the main practical difficulty in 2025-2026: few laboratories hold a coherent EN 18031 accreditation scope. Fewer than ten entities in Europe had published accreditation scopes covering the full EN 18031-1/-2/-3 set at the time of activation. CETECOM, Element, INTERTEK and SGS positioned themselves early; others are catching up. The consequences:

Long waiting lists: 8 to 16 weeks of lead time to enter evaluation at substantial level.
Pressure on pricing driven by demand.
Pragmatic approach: plan the assessment well ahead of the launch date, ideally as soon as the firmware is frozen.

Key takeaways for product teams

Article 3.3 is active and enforceable since 1 August 2025, it is no longer optional or hypothetical.
The basic assurance level is sufficient for most IoT products, but it requires a formal, documented analysis.
The standards EN 18031-1, EN 18031-2 and EN 18031-3 grant presumption of conformity, any other approach remains possible but adds considerable evidence burden.
Book a laboratory slot early: capacity will remain tight for 12 to 24 months.
For products already certified, anticipate the next change (firmware, radio component) that will reopen the conformity question.

Going further

Required RED tests: breakdown of tests by article 3.1 to 3.3
RED harmonised standards: full table
Common RED pitfalls: recurring errors in radio and cybersecurity

Sources & references

Delegated Regulation (EU) 2022/30 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
Directive 2014/53/EU, article 3.3 , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
Implementing Decision (EU) 2022/2191, one-year deferral , EUR-Lex eur-lex.europa.eu/eli/dec_impl/2022/2191/oj
EN 18031 series: Cybersecurity for radio equipment , CENELEC www.cenelec.eu/