Skip to content

RED 3.3 cybersecurity: mandatory since 1 August 2025

News · Regulatory evolution

On 1 August 2025, Delegated Regulation (EU) 2022/30 entered into force: every connected radio product placed on the European market must now demonstrate compliance with the cybersecurity requirements 3.3(d), 3.3(e) and 3.3(f) of the RED directive 2014/53/EU. Originally scheduled for August 2024 and deferred by one year to allow the harmonised standards to be published, this activation captures almost every connected device sold in the EU.

Before 1 August 2025, article 3.3 of the RED directive existed on paper but was not activated: manufacturers had no obligation to demonstrate the cybersecurity of their radio products. Delegated Regulation (EU) 2022/30, adopted in October 2021, triggered three specific paragraphs:

  • Article 3.3(d), protection of networks against attacks originating from the equipment.
  • Article 3.3(e), protection of personal data and the privacy of the user and the subscriber.
  • Article 3.3(f), protection against fraud.

Activation was initially planned for 1 August 2024. Delegated Regulation (EU) 2023/2444 granted a one-year extension to give the harmonised standards EN 18031-1, -2 and -3 time to be finalised and cited in the Official Journal of the European Union. Those standards were published in 2024, cited in the OJEU in January 2025, and now grant presumption of conformity to manufacturers who apply them.

The scope is very broad: any radio equipment capable of communicating via the internet, directly or indirectly, falls within the perimeter. In practice:

  • Wi-Fi, Bluetooth, Zigbee, Thread, LoRa, NB-IoT, LTE-M connected devices.
  • IP cameras, video doorbells, smart locks.
  • Industrial sensors, IoT gateways, smart home equipment.
  • Wearables (watches, fitness trackers), connected medical devices not covered by other directives.
  • Connected toys (strengthened 3.3(e)).

A few specific exclusions: equipment already covered by stricter sector regulations (vehicles, MDR medical devices, aeronautical equipment) is handled under those frameworks.

This requirement is aimed at preventing a compromised radio device from becoming an entry point into the network it is connected to. Expected controls:

  • Mutual authentication of the device with the network (certificates, robust pre-shared keys).
  • Disabled by default of non-essential services.
  • Restriction of unsolicited outbound connections to the internet.
  • Signed and verifiable security updates, with a controlled rollback mechanism.
  • Logging of significant security events.

The standard EN 18031-1 details the assessment methodology.

This requirement partly overlaps with GDPR but operates at the product level, not only at the processing level. Controls evaluated:

  • Encryption of sensitive communications: TLS 1.2 minimum, perfect forward secrecy recommended.
  • Encrypted storage of secrets (keys, passwords, authentication tokens).
  • Strong default passwords, the practice of an identical factory password across every unit is now banned.
  • Secure erasure on factory reset or end of life.
  • Transparent documentation of data collected (type, purpose, duration).

Normative reference: EN 18031-2.

More narrowly targeted, this requirement applies to equipment that performs or facilitates financial transactions, payment terminals, banking equipment, connected devices capable of in-app purchases. Controls evaluated:

  • Strong authentication (multi-factor) for financial operations.
  • Integrity and non-repudiation of transactions.
  • Replay protection (nonces, signed timestamps).
  • Audit trail of financial operations.

Normative reference: EN 18031-3.

Contrary to a widespread misreading, the EN 18031 standards do not define assurance levels (the basic / substantial / high tiers belong to the Cybersecurity Act certification framework, not to RED). Their logic is different:

StepWhat it involves
Risk assessmentThe manufacturer determines which parts apply: 3.3(d) maps to EN 18031-1, 3.3(e) to EN 18031-2, 3.3(f) to EN 18031-3
Decision treesEach requirement carries decision trees that establish whether it applies to the product
Assessment per mechanismEach applicable security mechanism undergoes a conceptual assessment (documented justification) plus functional completeness and functional sufficiency assessments

The outcome of each assessment is pass or fail, with no tiered levels. The conformity route follows from how the standards are applied: if they are applied in full and none of the restrictions attached to the OJEU citation (Implementing Decision (EU) 2025/138) is triggered, the manufacturer may self-assess under internal production control (module A). The restrictions concern the no-password clauses 6.2.5.1 and 6.2.5.2 in all three parts, parental and guardian access controls for toys and childcare equipment in EN 18031-2, and the secure-update criteria for financial assets in EN 18031-3. If a restriction is triggered, or the standards are only partially applied, a RED Notified Body becomes mandatory (EU-type examination, module B + C).

In concrete terms, here is what needs to be added to the RED Annex V technical file:

  1. Documented cybersecurity risk analysis, identifying assets to protect, threats and chosen controls.
  2. Security architecture diagram, components, data flows, trust boundaries.
  3. Inventory of controls implemented and their mapping to the applicable 3.3(d)(e)(f) articles.
  4. Assessment report to EN 18031-1/-2/-3, covering the conceptual, functional completeness and functional sufficiency assessments of each applicable mechanism.
  5. Maintenance plan, update policy, support duration, handling of vulnerabilities discovered after placing on the market.
  6. User documentation specifying security best practices (changing the default password, enabling updates, etc.).
Conformity routeIndicative costLead time
Self-assessment (in-house or with external support)€0 to €8,0004 to 8 weeks
Accredited third-party laboratory campaign€15,000 to €40,0008 to 16 weeks
Notified Body route with security testing€40,000 to €100,000+16 to 24 weeks

These ranges add to the usual cost of a RED campaign (radio EMC, spectrum, electrical safety).

The rule is clear: products placed on the market before 1 August 2025 under the old RED regime remain valid and can continue to be distributed without renewing their certification. But from 1 August 2025 onwards, any first placing on the market of a unit, including a product identical in design to an older model, must be covered by a declaration of conformity that includes article 3.3.

Watch for the trap: a substantial modification (firmware change, addition of a radio function, change of radio component) triggers a new placing on the market. Compliance with 3.3 then becomes mandatory even for a product whose first version pre-existed.

This is the main practical difficulty in 2025-2026: few laboratories hold a coherent EN 18031 accreditation scope. Fewer than ten entities in Europe had published accreditation scopes covering the full EN 18031-1/-2/-3 set at the time of activation. CETECOM, Element, INTERTEK and SGS positioned themselves early; others are catching up. The consequences:

  • Long waiting lists: 8 to 16 weeks of lead time to enter a third-party evaluation.
  • Pressure on pricing driven by demand.
  • Pragmatic approach: plan the assessment well ahead of the launch date, ideally as soon as the firmware is frozen.
  • Article 3.3 is active and enforceable since 1 August 2025, it is no longer optional or hypothetical.
  • Self-assessment (module A) remains open for most IoT products when the EN 18031 standards are applied in full and no OJEU restriction is triggered, but it requires a formal, documented analysis.
  • The standards EN 18031-1, EN 18031-2 and EN 18031-3 grant presumption of conformity, any other approach remains possible but adds considerable evidence burden.
  • Book a laboratory slot early: capacity will remain tight for 12 to 24 months.
  • For products already certified, anticipate the next change (firmware, radio component) that will reopen the conformity question.

Sources & references

  1. Delegated Regulation (EU) 2022/30 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
  2. Directive 2014/53/EU, article 3.3 , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
  3. Delegated Regulation (EU) 2023/2444, one-year deferral , EUR-Lex eur-lex.europa.eu/eli/reg_del/2023/2444/oj
  4. EN 18031 series: Cybersecurity for radio equipment , CENELEC www.cenelec.eu/