IoT and the RED Directive
The RED Directive: The essential framework for ensuring the conformity of radio equipment in Europe
To strengthen the cybersecurity of internet-connected radio products on the European market, the European Commission has published a regulation dedicated to radio equipment. The new provisions of the delegated act, Regulation (EU) 2022/30, within the framework of the Radio Equipment Directive (RED) – 2014/53/EU, are mandatory for all connected equipment from 1 August 2025.
DIRECTIVE RED: What are we talking about?
The Radio Equipment Directive (RED) is a European directive that regulates the placing of radio equipment on the European market.
It defines the essential requirements and conformity assessment procedures that manufacturers and importers of radio equipment must comply with before placing their products on the European market.
The essential requirements of the RED Directive take into account radio performance, security, and electromagnetic compatibility (EMC).
Since February 2, 2022, the European Commission has added a delegated regulation requiring radio products to comply with cybersecurity standards, applicable since August 1, 2025.
Continuation of events
entered into force
20 days after publication
for standardization has been
addressed to
CEN/CENELEC
is possible because the harmonized standard
has beenpublished in the official journal
must comply when
they are placed on the market.
The manufacturer can prove the conformity of its products by ensuring that they are assessed by the relevant notified bodies.
RED 2025 DIRECTIVE: Are your connected devices compliant for placing on the market?
Which devices are affected by the RED's new cybersecurity requirements?
data over the Internet
EQUIPMENT
or fitness trackers
What happens to devices already on the European market?
Devices without specific notifications regarding security issues can be used until the end of their lifespan. The RED Directive applies to each individual radio product placed on the market, not to a range of products. Therefore, all radio products placed on the EU market after August 1, 2025, must comply with these new cybersecurity requirements.
Specifically, what has changed?
The delegated act, officially adopted by the European Commission on 29 October 2021, implements the following essential requirements of Article 3(3) of the RED Directive :
- Article 3.3(d) — improve network resilience : wireless devices and products will need to incorporate features to avoid damaging communication networks and prevent devices from being used to disrupt the functionality of a website or other services.
- Article 3.3(e) — better protect consumer privacy : wireless devices and products will need to have features that guarantee the protection of personal data. Protecting children's rights will become a key element of this legislation. For example, manufacturers will have to implement new measures to prevent unauthorized access to or transmission of personal data.
- Article 3.3(f) — reduce the risk of monetary fraud : wireless devices and products will need to include features to minimize the risk of fraud during electronic payments. For example, they will need to ensure better user authentication control to prevent fraudulent payments.
What standards should IoT product manufacturers use?
- EN 18031-1, -2, -3 : evaluation, certification and the RED Directive
- IEC 62443-4-2 : evaluation, certification and the RED Directive
- ETSI EN 303 645 : evaluation, certification and the RED Directive
