Key Points
- UK & EU IoT vendors have more security regulation coming in
- Applies to all wireless devices
- Comes into force 1st August 2025
- It may be absorbed into the Cyber Resilience Act
From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU's Radio Equipment Directive (2014/53/EU), or RED.
This also applies to the UK market, since RED was implemented into UK law by the Radio Equipment Regulations 2017.
Scope
All new and existing wireless devices sold in the EU (including distance selling and white labelling). Here's a non-exhaustive list:
- Wi-Fi routers
- Bluetooth wearables
- Smart home technology
- Smart toys
- Electric vehicle chargers (EVSEs)
- Healthcare and childcare devices
- Industrial IoT
Key Requirements
RED regulates several features of radio devices, including electromagnetic compatibility, charging standards, and accessibility.
The security requirements are a new addition that provide a baseline to protect personal data, privacy, and protect the device from fraud. They're defined under Article 3(3) points (d), (e), and (f) of the act:
(d) Network Protection
Ensure the device does not degrade functionality of the wider network, or otherwise misuse network resources.
(e) Personal Data Protection and Privacy
- All processed data (personal, traffic, and location) must be protected from unauthorised access during both storage and transmission.
- User privacy must be safeguarded.
(f) Fraud Prevention
Devices that handle virtual currency or facilitate monetary transactions must not be susceptible to financial fraud. Implement safeguards against spoofing, identity theft, and tampering.
It is anticipated that the EU Cyber Resilience Act (which has the even broader scope of all 'products with digital elements') will adopt the above demands when fully implemented, and thus make RED itself applicable only for the non-security requirements.
Conformance
The EN 18031 series maps each of the three points to a category of radio-enabled device, and provides guidelines to help manufacturers design and test the conformance of their device:
EN 18031-1
Concerns point (d) and targets all Internet-connected radio devices.
EN 18031-2
Concerns point (e) and targets any device processing personal, traffic, or location data. Specific examples include wearable technologies and toys.
EN 18031-3
Concerns point (f) and targets devices that handle money.
The EU wants commonality and standardisation against existing frameworks, meaning manufacturers already aligned to ETSI EN 303 645 (consumer IoT security) or IEC 62443-4-2 (industrial security) will see significant overlap. A mapping between their relevant directives and RED's can be found in ETSI TS 103 929.
Conformity with RED is achieved with a self-assessment or with a report from a notified body. If the requirements become a subset of CRA, "critical" devices cannot be self-assessed.
How We Can Help
We offer a range of technical and advisory services to evaluate the security posture of your devices at all stages of the development lifecycle:
- ✓Threat modelling and secure design workshops to squash insecurities at their source.
- ✓Penetration testing of the hardware level all the way up to your fleet-management infrastructure.
- ✓Maturity assessment to identify how close you are to compliance with RED and EN 18031.
- ✓Retesting of remediations and continuous testing of new features on your devices.