In accordance with the upcoming amendments to the Radio Equipment Directive (RED) 2014/53/EU, certain categories of radio equipment will be required to comply with new cybersecurity, privacy, and fraud prevention measures. These requirements, defined under Article 3(3)(d), (e), and (f), are intended to ensure the protection of personal data, safeguard network integrity, and prevent unauthorized access or manipulation of connected devices.
Starting from August 1st, 2025, manufacturers of applicable devices—such as smartphones, wireless toys, wearable devices, and other connected products—must ensure conformity with the essential cybersecurity requirements. Compliance may involve implementing secure boot mechanisms, encryption, user authentication, secure update mechanisms, and protection against known vulnerabilities.
Further guidance will be provided via harmonized standards (such as ETSI EN 303 645 and future versions of EN 18031-x), and manufacturers must document compliance within their technical documentation. Depending on the risk classification, third-party conformity assessment (e.g. via a Notified Body) may be required.
As a software supplier for radio modules used in wireless-connected products, we are actively preparing for the cybersecurity requirements. As a module software provider, we focus on delivering firmware and application stacks that support:
- Separation of user data and system processes
- Secure boot and update mechanisms
- Controlled access interfaces (e.g. authentication, pairing)
- Radio protocol integrity and denial-of-service protection
The following provides an analysis of EN 18031-1, -2, and -3:2024, which offer technical guidance on the implementation of Directive 2014/53/EU (RED), particularly with regard to the essential requirements defined in Article 3.3 (d), (e), and (f):
- (d): features to ensure protection from fraud
- (e): features to safeguard the personal data and privacy of the user and subscriber
- (f): features to ensure access to emergency services
According to common interpretations of EN 18031, devices that do not include an IP stack and are therefore not capable of directly or indirectly communicating over the internet (cf. EN 18031-1) are generally considered outside the scope of the standard. In such cases, all communication takes place exclusively via a paired smartphone app acting as an intermediary.
Furthermore, the device in question does not process any personal data (cf. EN 18031-2), nor does it store or handle payment-related information, monetary value, or virtual currency (cf. EN 18031-3).
Based on this interpretation and in accordance with prevailing industry understanding, it can be concluded that the device does not fall within the scope of applicability of EN 18031-1, -2, or -3:2024 and is therefore not subject to the corresponding essential requirements under Article 3.3 (d), (e), and (f) of Directive 2014/53/EU (RED).
Should you have any questions regarding the technical characteristics or communication architecture of our implementation, we are happy to provide additional details to support your own evaluation.
Please note: This assessment reflects our internal interpretation of the standard and is provided for informational purposes only. It does not constitute legal advice or a formal declaration of conformity. We accept no liability for decisions made based on this interpretation and recommend that each party conducts its own evaluation in accordance with applicable regulatory requirements and legal obligations under the RED.