Radio Equipment Directive (RED) Cybersecurity: Scope, EN 18031, Deadlines

Q: When did the RED cybersecurity requirements become applicable?

Commission Delegated Regulation (EU) 2022/30 entered into force on 7 January 2022 ; the original date of application of 1 August 2024 was postponed by twelve months via Delegated Regulation (EU) 2023/2444 . The cybersecurity requirements in Art. 3(3)(d), (e) and (f) RED have therefore applied since 1 August 2025 . With the full applicability of the Cyber Resilience Act (CRA) from 11 December 2027 , the RED Delegated Regulation is expected to be repealed. The CRA requirements will then succeed the RED cybersecurity requirements regardless of communication technology.

Q: Which harmonised standards give presumption of conformity under the RED?

The harmonised standards EN 18031-1 , EN 18031-2 and EN 18031-3 were notified in the Official Journal of the EU in August 2024 and cover one RED-DA protection objective each: EN 18031-1 covers network protection (Art. 3(3)(d)), EN 18031-2 covers the protection of personal data and privacy (Art. 3(3)(e)), and EN 18031-3 covers protection from fraud (Art. 3(3)(f)). Applied in full and correctly, compliance with these standards gives a presumption of conformity with the RED. The standards build on and align with the established ETSI EN 303 645 (Cyber Security for Consumer IoT) and concretise requirements for secure authentication, secure default settings, secure update mechanisms, vulnerability handling and privacy by default.

Q: How do the RED cybersecurity rules relate to the Cyber Resilience Act (CRA)?

The RED-DA is technology-bound and only addresses radio equipment that falls within the categories listed in Commission Delegated Regulation (EU) 2022/30: internet-enabled radio equipment, data-processing wearables, child-specific radio equipment, and radio equipment for monetary or crypto transactions. The CRA , by contrast, is technology-neutral and applies to all products with digital elements in the EU single market, whether or not they include a radio interface. As the CRA’s full applicability from 11 December 2027 substantively overlaps the RED-DA scope, the repeal of Delegated Regulation (EU) 2022/30 is intended at that point. Until then, the RED cybersecurity requirements continue to apply to the listed radio-equipment categories; for affected manufacturers, a coherent RED → CRA roadmap during the transition phase is advisable to avoid duplicate effort.

Q: Which market surveillance authority is responsible for RED cybersecurity in Germany?

The RED is transposed into German law through the Funkanlagengesetz (FuAG) . The market surveillance authority for radio equipment is the Bundesnetzagentur , which performs conformity checks on the market, orders corrective measures in the event of non-conformity and, for repeated violations, may issue sales and import bans. The new cybersecurity requirements under the RED-DA create interfaces with the BSI (in particular for threat and vulnerability questions) and with the data protection supervisory authorities (for Art. 3(3)(e) personal data protection). Sanctions follow the offence catalogue of the FuAG; the Bundesnetzagentur’s intervention powers extend up to market withdrawal.

What is the Radio Equipment Directive (RED)?

EU Directive 2014/53/EU – known as the Radio Equipment Directive (RED) – is the central framework for placing radio equipment on the market in the European Economic Area. It defines essential requirements for safety, electromagnetic compatibility, and the efficient use of radio spectrum. In Germany, the Funkanlagengesetz (FuAG) transposes the directive; the market surveillance authority is the Bundesnetzagentur.

With Commission Delegated Regulation (EU) 2022/30 (the “RED-DA”), the previously placeholder-only Article 3(3)(d), (e) and (f) of the RED have been activated and have applied since 1 August 2025 (originally 1 August 2024, postponed by twelve months via Delegated Regulation (EU) 2023/2444), and are binding for manufacturers, importers and distributors of certain radio equipment. The three protection objectives are:

Art. 3(3)(d), network protection: the radio equipment must not harm the network nor misuse network resources.
Art. 3(3)(e), protection of personal data and privacy: built-in safeguards for the processing of personal data and for user and subscriber privacy.
Art. 3(3)(f), protection from fraud: built-in safeguards against fraudulent use, in particular for radio equipment that handles money, monetary value or virtual currencies.

The RED-DA is therefore the EU’s first binding product-cybersecurity regulation to bite in practice, taking effect before the Cyber Resilience Act (CRA) for in-scope radio equipment. With the full applicability of the CRA from 11 December 2027, the RED-DA is expected to be repealed. At that point the CRA requirements for products with digital elements will succeed the RED cybersecurity requirements, regardless of communication technology.

At SCHUTZWERK we understand the challenges of the RED cybersecurity requirements, from clarifying whether a given product falls under Art. 3(3)(d/e/f) at all, through technical implementation, to the conformity assessment against the harmonised standards EN 18031-1/2/3. Our embedded-security team supports manufacturers with threat and risk assessment , penetration testing and the preparation of the technical documentation.

Objective

Support in implementing and maintaining RED compliance through specialized security assessments

Question

How can we effectively meet the cybersecurity requirements of the Radio Equipment Directive (RED)?

Scope

Radio-enabled products within the scope of RED requirements

Cybersecurity under RED – a new compliance requirement

The extended RED introduces, for the first time, concrete security requirements for radio-enabled devices as of August 2025. The aim is to establish a consistent level of security for connected products using radio technologies across the EU.

RED requires manufacturers to ensure that their radio products:

do not harm or disrupt networks,
protect users’ personal data and privacy,
cannot be misused for fraudulent purposes.

These requirements significantly impact the design, development, and operation of connected products. Particularly affected are devices with internet access, app connectivity, user accounts, or payment functions. To meet these requirements, manufacturers can refer to the measures defined in the harmonised standards EN 18031-1/2/3. These ensure products meet “Security by Design” and “by Default” principles.

Protection of networks, data, and against fraud

Manufacturers must ensure their products do not negatively impact communication networks, safeguard user privacy, and prevent fraud – especially in devices used for payments or confidential communication. We assist in developing appropriate safeguards and security architecture for your products. For already developed products, we conduct security assessments , such as penetration tests .

Security requirements in the development process

Cybersecurity must now be integrated “by design” into product development processes. SCHUTZWERK provides in-depth threat and risk analyses and technical consulting for implementing secure hardware and software architectures. Our embedded security team specifically analyzes potential vulnerabilities – from in-depth firmware analysis to wireless interfaces.

Conformity assessment and technical documentation

Implementing RED requirements requires a structured conformity assessment – either internally (Module A) or via a notified body. We support you in selecting the appropriate procedure, preparing the CE Declaration of Conformity, and compiling technical documentation in accordance with RED.

Scope of the RED Cybersecurity Requirements

Commission Delegated Regulation (EU) 2022/30 activates the protection objectives of Art. 3(3)(d), (e) and (f) not for all radio equipment, but addresses them product-specifically:

Product cluster (per Delegated Reg 2022/30)	Activated protection objectives	Typical examples
Radio equipment that communicates over the internet (directly or via another device)	Art. 3(3)(d) network protection and (e) protection of personal data and privacy	Smart home devices, Wi-Fi / Bluetooth routers, IoT sensors, smart TVs, voice assistants
Radio equipment that processes personal or location data	Art. 3(3)(e)	Wearables (fitness trackers, smartwatches), body-worn or implanted radio equipment
Radio equipment for child care or as toys for children under 14	Art. 3(3)(e)	Baby monitors, connected learning toys, children’s smartwatches
Radio equipment that handles money, monetary value or virtual currencies	Art. 3(3)(f) protection from fraud	Mobile payment terminals with a radio interface, contactless payment devices, hardware wallets

Out of scope of the Delegated Regulation are radio products already covered by equivalent sector-specific regulation, in particular medical devices (Regulations (EU) 2017/745 and 2017/746) and motor vehicles in the type-approval regime (UNECE R155 in conjunction with Regulation (EU) 2019/2144).

Presumption of Conformity via the Harmonised Standards EN 18031

The harmonised standards EN 18031-1, EN 18031-2 and EN 18031-3, notified in the Official Journal of the EU in August 2024, cover one protection objective each and, when applied in full and correctly, give a presumption of conformity:

EN 18031-1: requirements for network protection (Art. 3(3)(d)), addressing internet-enabled radio equipment.
EN 18031-2: requirements for the protection of personal data and privacy (Art. 3(3)(e)), addressing data-processing, child-specific and body-worn radio equipment.
EN 18031-3: requirements for protection from fraud (Art. 3(3)(f)), addressing radio equipment for monetary and crypto transactions.

The standards build on and align with the established ETSI EN 303 645 (Cyber Security for Consumer IoT) baseline and concretise requirements for, among other things, secure authentication, secure default settings, secure update mechanisms, vulnerability handling and privacy by default.

Legal Opinion on RED Scope and CRA Transition by a Specialised Lawyer

If you need a formal legal assessment beyond the technical classification (for example to clarify whether your radio product falls into one of the categories of Commission Delegated Regulation (EU) 2022/30, to delineate sector-specific exemptions (medical device under MDR/IVDR, motor vehicle under UNECE R155), to plan the strategic RED → CRA transition from 11 December 2027, or to present to your management board, supervisory board or the Bundesnetzagentur), we can include, on request, a legal opinion on RED scope by a lawyer specialised in IT and cybersecurity regulation.

Background: in Germany, the Rechtsdienstleistungsgesetz (RDG) reserves the provision of legal advice for admitted lawyers. In practice, a well-founded RED scope determination requires both technical analysis (radio technologies, data flows, update architecture) and legal evaluation (interpretation of 2022/30 and of the mapping provisions to the CRA, MDR and R155, plus the Funkanlagengesetz). The usual setup (your technical consultant going back and forth with your external lawyer, often with you as an intermediary) is slow and lossy.

Our model: we work with a law firm specialised in regulatory and IT law whose lawyer can act directly as part of our project team and, on request, be billed through SCHUTZWERK, with no additional vendor to set up or onboard on your side. The legal advice itself is delivered in an RDG-compliant manner on the basis of a client mandate agreement (“Mandatsvereinbarung”) between you and the law firm directly, so the opinion is clearly documented and cleanly embedded in your SCHUTZWERK engagement. Outcome: a single consolidated technical-legal RED scope and CRA-transition opinion from one point of contact, with no whisper-down-the-lane between consultants.

Frequently Asked Questions About RED Cybersecurity

Who is affected by the RED cybersecurity requirements?

The cybersecurity requirements in Art. 3(3)(d), (e) and (f) RED were activated by Commission Delegated Regulation (EU) 2022/30. The addressees are manufacturers, importers and distributors of specific categories of radio equipment placed on the EU market, in particular radio equipment that communicates over the internet (Art. 3(3)(d) network protection + (e) data protection), body-worn or personal-data-processing radio equipment, radio equipment for child care or as toys for children under 14 (Art. 3(3)(e)) and radio equipment that handles money or crypto transactions (Art. 3(3)(f) protection from fraud). Radio equipment already covered by sector-specific regulation, in particular medical devices (MDR/IVDR) and motor vehicles (UNECE R155 in conjunction with Regulation (EU) 2019/2144), is out of scope of the Delegated Regulation.

When did the RED cybersecurity requirements become applicable?

Commission Delegated Regulation (EU) 2022/30 entered into force on 7 January 2022; the original date of application of 1 August 2024 was postponed by twelve months via Delegated Regulation (EU) 2023/2444. The cybersecurity requirements in Art. 3(3)(d), (e) and (f) RED have therefore applied since 1 August 2025. With the full applicability of the Cyber Resilience Act (CRA) from 11 December 2027, the RED Delegated Regulation is expected to be repealed. The CRA requirements will then succeed the RED cybersecurity requirements regardless of communication technology.

Which harmonised standards give presumption of conformity under the RED?

The harmonised standards EN 18031-1, EN 18031-2 and EN 18031-3 were notified in the Official Journal of the EU in August 2024 and cover one RED-DA protection objective each: EN 18031-1 covers network protection (Art. 3(3)(d)), EN 18031-2 covers the protection of personal data and privacy (Art. 3(3)(e)), and EN 18031-3 covers protection from fraud (Art. 3(3)(f)). Applied in full and correctly, compliance with these standards gives a presumption of conformity with the RED. The standards build on and align with the established ETSI EN 303 645 (Cyber Security for Consumer IoT) and concretise requirements for secure authentication, secure default settings, secure update mechanisms, vulnerability handling and privacy by default.

How do the RED cybersecurity rules relate to the Cyber Resilience Act (CRA)?

The RED-DA is technology-bound and only addresses radio equipment that falls within the categories listed in Commission Delegated Regulation (EU) 2022/30: internet-enabled radio equipment, data-processing wearables, child-specific radio equipment, and radio equipment for monetary or crypto transactions. The CRA, by contrast, is technology-neutral and applies to all products with digital elements in the EU single market, whether or not they include a radio interface. As the CRA’s full applicability from 11 December 2027 substantively overlaps the RED-DA scope, the repeal of Delegated Regulation (EU) 2022/30 is intended at that point. Until then, the RED cybersecurity requirements continue to apply to the listed radio-equipment categories; for affected manufacturers, a coherent RED → CRA roadmap during the transition phase is advisable to avoid duplicate effort.

Which market surveillance authority is responsible for RED cybersecurity in Germany?

The RED is transposed into German law through the Funkanlagengesetz (FuAG). The market surveillance authority for radio equipment is the Bundesnetzagentur, which performs conformity checks on the market, orders corrective measures in the event of non-conformity and, for repeated violations, may issue sales and import bans. The new cybersecurity requirements under the RED-DA create interfaces with the BSI (in particular for threat and vulnerability questions) and with the data protection supervisory authorities (for Art. 3(3)(e) personal data protection). Sanctions follow the offence catalogue of the FuAG; the Bundesnetzagentur’s intervention powers extend up to market withdrawal.

From Product Classification to Conformity: RED Support by SCHUTZWERK

For technical implementation, the RED-DA primarily refers to the harmonised standards EN 18031-1/2/3, which in turn build on the established ETSI EN 303 645 (Cyber Security for Consumer IoT) baseline. For industrial radio products, the IEC 62443 family and, as the ISMS carrier process for the manufacturer, ISO/IEC 27001 remain relevant reference points. SCHUTZWERK supports RED addressees along these standards with dedicated embedded and radio-technology specialists and certified ISO 27001 Lead Auditors.

A typical RED cybersecurity package consists of four building blocks that build on each other and can be commissioned individually or as a single engagement:

Scope determination and product classification: assignment of the product to the Delegated Regulation (EU) 2022/30 categories (internet-enabled, data-processing / wearable, child-care product, money/crypto handling) and delineation against sector-specific regimes (MDR/IVDR, UNECE R155); optionally extended with a formal legal opinion via our specialised law firm partner (see section above).
Position assessment: product-level threat and risk assessment along ETSI EN 303 645 / EN 18031, plus a gap analysis of hardware, firmware and radio-technology security against the relevant EN 18031 requirements.
Technical assessment: focused embedded security assessments and penetration tests, including radio-protocol testing (Bluetooth, Wi-Fi, Zigbee, LTE) as well as firmware and hardware security analyses in our specialised embedded laboratory.
Implementation support and CRA-transition planning: setup and operation of the product security process (coordinated vulnerability disclosure, update pipeline), creation or maintenance of the technical documentation and CE Declaration of Conformity under RED, and strategic preparation of the transition to the Cyber Resilience Act from 11 December 2027.

Which building blocks are required and in what depth depends on the product type (consumer IoT, industrial product, payment hardware), the radio technologies in use and the time-to-market of your products.

Our Services

Threat and Risk Assessment

We develop relevant threat scenarios for your product and assess the resulting risks to derive appropriate security requirements and measures. This includes evaluating the risks of radio products related to network access, data processing, and potential misuse.

Security Architecture

We help design and implement secure architectures that meet RED requirements while supporting efficient development processes.

Secure Development

We guide you in establishing security-focused development processes in line with RED and related standards.

Product Security Assessments

Our comprehensive security assessments help identify vulnerabilities in your products and systems. We provide detailed insights and practical improvement suggestions.

Penetration Testing

Our specialized penetration tests help evaluate the security of your products and identify potential vulnerabilities – with a particular focus on wireless interfaces such as Bluetooth, Wi-Fi, Zigbee, or LTE.

Implementation Approach

Our approach to implementing RED cybersecurity requirements is based on a structured four-step model:

Product analysis and comparison with the scope of RED and EN 18031
Technical security assessment and targeted penetration testing
Consulting on security architecture and safeguards
Support with conformity assessment, CE documentation, and future CRA strategy

This ensures your product is both legally compliant and securely positioned in the market.

Benefits of Working with SCHUTZWERK

Partnering with SCHUTZWERK offers you:

Deep understanding of both technical security requirements and regulatory frameworks
Experience with frameworks such as RED, EN 18031, and CRA
Practical expertise in implementing product security measures
Comprehensive testing and evaluation capabilities
Ongoing support and guidance throughout your compliance journey
Independent and objective security expertise

Our goal is to make your products not only compliant, but also resilient and trustworthy – ensuring sustainable market access in Europe.

Funding for SMEs: Through the EU SECURE4SME programme, small and medium-sized enterprises can receive grants of up to 30,000 euros for CRA-related cybersecurity measures – also relevant for products within the scope of RED. Learn more on our SECURE4SME funding page .

RED