RED 3.3 cybersecurity: mandatory since 1 August 2025
News · Regulatory evolution
On 1 August 2025, Delegated Regulation (EU) 2022/30 entered into force: every connected radio product placed on the European market must now demonstrate compliance with the cybersecurity requirements 3.3(d), 3.3(e) and 3.3(f) of the RED directive 2014/53/EU. Originally scheduled for August 2024 and deferred by one year to allow the harmonised standards to be published, this activation captures almost every connected device sold in the EU.
What actually changes
Section titled “What actually changes”Before 1 August 2025, article 3.3 of the RED directive existed on paper but was not activated: manufacturers had no obligation to demonstrate the cybersecurity of their radio products. Delegated Regulation (EU) 2022/30, adopted in October 2021, triggered three specific paragraphs:
- Article 3.3(d), protection of networks against attacks originating from the equipment.
- Article 3.3(e), protection of personal data and the privacy of the user and the subscriber.
- Article 3.3(f), protection against fraud.
Activation was initially planned for 1 August 2024. Delegated Regulation (EU) 2023/2444 granted a one-year extension to give the harmonised standards EN 18031-1, -2 and -3 time to be finalised and cited in the Official Journal of the European Union. Those standards were published in 2024, cited in the OJEU in January 2025, and now grant presumption of conformity to manufacturers who apply them.
Which products are in scope?
Section titled “Which products are in scope?”The scope is very broad: any radio equipment capable of communicating via the internet, directly or indirectly, falls within the perimeter. In practice:
- Wi-Fi, Bluetooth, Zigbee, Thread, LoRa, NB-IoT, LTE-M connected devices.
- IP cameras, video doorbells, smart locks.
- Industrial sensors, IoT gateways, smart home equipment.
- Wearables (watches, fitness trackers), connected medical devices not covered by other directives.
- Connected toys (strengthened 3.3(e)).
A few specific exclusions: equipment already covered by stricter sector regulations (vehicles, MDR medical devices, aeronautical equipment) is handled under those frameworks.
The three sub-articles in practice
Section titled “The three sub-articles in practice”3.3(d): Network protection
Section titled “3.3(d): Network protection”This requirement is aimed at preventing a compromised radio device from becoming an entry point into the network it is connected to. Expected controls:
- Mutual authentication of the device with the network (certificates, robust pre-shared keys).
- Disabled by default of non-essential services.
- Restriction of unsolicited outbound connections to the internet.
- Signed and verifiable security updates, with a controlled rollback mechanism.
- Logging of significant security events.
The standard EN 18031-1 details the assessment methodology.
3.3(e): Personal data protection
Section titled “3.3(e): Personal data protection”This requirement partly overlaps with GDPR but operates at the product level, not only at the processing level. Controls evaluated:
- Encryption of sensitive communications: TLS 1.2 minimum, perfect forward secrecy recommended.
- Encrypted storage of secrets (keys, passwords, authentication tokens).
- Strong default passwords, the practice of an identical factory password across every unit is now banned.
- Secure erasure on factory reset or end of life.
- Transparent documentation of data collected (type, purpose, duration).
Normative reference: EN 18031-2.
3.3(f): Fraud protection
Section titled “3.3(f): Fraud protection”More narrowly targeted, this requirement applies to equipment that performs or facilitates financial transactions, payment terminals, banking equipment, connected devices capable of in-app purchases. Controls evaluated:
- Strong authentication (multi-factor) for financial operations.
- Integrity and non-repudiation of transactions.
- Replay protection (nonces, signed timestamps).
- Audit trail of financial operations.
Normative reference: EN 18031-3.
How the EN 18031 assessment works
Section titled “How the EN 18031 assessment works”Contrary to a widespread misreading, the EN 18031 standards do not define assurance levels (the basic / substantial / high tiers belong to the Cybersecurity Act certification framework, not to RED). Their logic is different:
| Step | What it involves |
|---|---|
| Risk assessment | The manufacturer determines which parts apply: 3.3(d) maps to EN 18031-1, 3.3(e) to EN 18031-2, 3.3(f) to EN 18031-3 |
| Decision trees | Each requirement carries decision trees that establish whether it applies to the product |
| Assessment per mechanism | Each applicable security mechanism undergoes a conceptual assessment (documented justification) plus functional completeness and functional sufficiency assessments |
The outcome of each assessment is pass or fail, with no tiered levels. The conformity route follows from how the standards are applied: if they are applied in full and none of the restrictions attached to the OJEU citation (Implementing Decision (EU) 2025/138) is triggered, the manufacturer may self-assess under internal production control (module A). The restrictions concern the no-password clauses 6.2.5.1 and 6.2.5.2 in all three parts, parental and guardian access controls for toys and childcare equipment in EN 18031-2, and the secure-update criteria for financial assets in EN 18031-3. If a restriction is triggered, or the standards are only partially applied, a RED Notified Body becomes mandatory (EU-type examination, module B + C).
Practical impact for manufacturers
Section titled “Practical impact for manufacturers”In concrete terms, here is what needs to be added to the RED Annex V technical file:
- Documented cybersecurity risk analysis, identifying assets to protect, threats and chosen controls.
- Security architecture diagram, components, data flows, trust boundaries.
- Inventory of controls implemented and their mapping to the applicable 3.3(d)(e)(f) articles.
- Assessment report to EN 18031-1/-2/-3, covering the conceptual, functional completeness and functional sufficiency assessments of each applicable mechanism.
- Maintenance plan, update policy, support duration, handling of vulnerabilities discovered after placing on the market.
- User documentation specifying security best practices (changing the default password, enabling updates, etc.).
Observed cost ranges
Section titled “Observed cost ranges”| Conformity route | Indicative cost | Lead time |
|---|---|---|
| Self-assessment (in-house or with external support) | €0 to €8,000 | 4 to 8 weeks |
| Accredited third-party laboratory campaign | €15,000 to €40,000 | 8 to 16 weeks |
| Notified Body route with security testing | €40,000 to €100,000+ | 16 to 24 weeks |
These ranges add to the usual cost of a RED campaign (radio EMC, spectrum, electrical safety).
Transition regime
Section titled “Transition regime”The rule is clear: products placed on the market before 1 August 2025 under the old RED regime remain valid and can continue to be distributed without renewing their certification. But from 1 August 2025 onwards, any first placing on the market of a unit, including a product identical in design to an older model, must be covered by a declaration of conformity that includes article 3.3.
Watch for the trap: a substantial modification (firmware change, addition of a radio function, change of radio component) triggers a new placing on the market. Compliance with 3.3 then becomes mandatory even for a product whose first version pre-existed.
Limited laboratory capacity
Section titled “Limited laboratory capacity”This is the main practical difficulty in 2025-2026: few laboratories hold a coherent EN 18031 accreditation scope. Fewer than ten entities in Europe had published accreditation scopes covering the full EN 18031-1/-2/-3 set at the time of activation. CETECOM, Element, INTERTEK and SGS positioned themselves early; others are catching up. The consequences:
- Long waiting lists: 8 to 16 weeks of lead time to enter a third-party evaluation.
- Pressure on pricing driven by demand.
- Pragmatic approach: plan the assessment well ahead of the launch date, ideally as soon as the firmware is frozen.
Key takeaways for product teams
Section titled “Key takeaways for product teams”- Article 3.3 is active and enforceable since 1 August 2025, it is no longer optional or hypothetical.
- Self-assessment (module A) remains open for most IoT products when the EN 18031 standards are applied in full and no OJEU restriction is triggered, but it requires a formal, documented analysis.
- The standards EN 18031-1, EN 18031-2 and EN 18031-3 grant presumption of conformity, any other approach remains possible but adds considerable evidence burden.
- Book a laboratory slot early: capacity will remain tight for 12 to 24 months.
- For products already certified, anticipate the next change (firmware, radio component) that will reopen the conformity question.
Going further
Section titled “Going further”- Required RED tests: breakdown of tests by article 3.1 to 3.3
- RED harmonised standards: full table
- Common RED pitfalls: recurring errors in radio and cybersecurity
Sources & references
- Delegated Regulation (EU) 2022/30 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
- Directive 2014/53/EU, article 3.3 , EUR-Lex eur-lex.europa.eu/eli/dir/2014/53/oj
- Delegated Regulation (EU) 2023/2444, one-year deferral , EUR-Lex eur-lex.europa.eu/eli/reg_del/2023/2444/oj
- EN 18031 series: Cybersecurity for radio equipment , CENELEC www.cenelec.eu/