You’ve probably already heard it (or at least we hope so): as of August 1, 2025, the revised RED Directive (Radio Equipment Directive) is officially in effect.
In recent years, connected devices have multiplied on the market. But more connectivity also means more risk.
With cyberattacks on the rise, the European Union decided to strengthen its regulatory framework to better protect users and personal data.
These new obligations represent a real challenge for both project leaders and manufacturers: adapting to the evolving RED Directive, while preparing for the upcoming Cyber Resilience Act (CRA) expected in 2027.
So, how can you ensure your products are compliant?
And how can you anticipate the next regulatory steps without doubling your efforts?
That’s exactly what we’ll break down in this article.
Let’s start with the basics — what is the RED, and what does it involve?
The Radio Equipment Directive (EU Directive 2014/53) was adopted in 2014 and took effect in 2016. It defines the essential requirements that all radio devices must meet before being placed on the European market.
For several years, the directive mainly covered electronic aspects such as electrical safety and electromagnetic compatibility (EMC).
But as of August 1, 2025, a major update has come into force: articles 3.3 (d), (e), and (f) are now mandatory.
In practice, this means any product within scope must comply with specific cybersecurity requirements to obtain CE marking.
So, how do manufacturers navigate this?
To help, the harmonized standard EN 18031 provides a detailed roadmap — from risk assessment and technical documentation to security mechanisms and testing everything needed to prove that a product meets the new requirements.
All devices capable of connecting to the Internet, either directly (e.g., Wi-Fi, LTE) or indirectly (e.g., a Bluetooth device connected to a smartphone).
This includes routers, smart home systems, IoT devices, connected toys, and more.
Note: this requirement applies per unit placed on the market.
In other words, every single unit sold after August 1, 2025, must be compliant — even if it’s an existing model that’s been on the market for years.
Some sectors already have their own cybersecurity frameworks and are therefore excluded from the RED update (non-exhaustive list):
Until now, cybersecurity was mostly left to manufacturers’ best practices.
With this RED update, it becomes a regulatory requirement — a prerequisite for selling in the EU.
In short: if your product connects directly or indirectly to the Internet and is placed on the EU market after August 1, 2025, it falls under the scope of the RED.
Once we understand what RED entails, the next question is — who’s responsible for compliance?
It’s simple: the manufacturer is solely responsible that is, the one who places the product on the market is the only one held accountable. They alone are responsible for ensuring that their product complies with RED requirements and for obtaining the CE marking.
If a product fails to comply, it’s the manufacturer who will be held accountable by authorities and the market.
That said, manufacturers can of course rely on specialized partners throughout the process — and that’s precisely where we step in.
For us, compliance isn’t a constraint or a “final step.”
It’s an integral part of a product’s quality — something to be considered from the design phase onward.
Articles 3.3 (d), (e), and (f) of the RED aren’t just another layer of bureaucracy.
They answer a simple question:
How do we prevent connected devices from becoming gateways for cyber threats?
The RED update defines three key areas of protection to ensure that radio equipment is built to:
In short, it’s not just about securing the device — but also its network environment and the data it handles, especially personal data or financial transactions.
The threats are varied and very real:
Without proper protection, any connected product can quickly become an open door for attackers.
The RED requires that security be built in from the design phase — the well-known “secure by design” approach.
That means implementing concrete protection mechanisms such as:
The goal is to make cybersecurity an integrated layer of protection, not an afterthought.
Once these protections are in place, you must be able to demonstrate them.
Self-assessment (articles 3.3 d/e/f)
The starting point is a self-assessment of compliance with RED cybersecurity requirements, following the harmonized EN 18031 standard.
This involves two key steps:
You must maintain a clear record of all actions and design decisions, including:
These documents must be kept for 10 years after the product is placed on the market.
RED compliance doesn’t stop at launch.
You must also:
At Rtone, we help you achieve compliance with clear, actionable deliverables, tailored to your product’s situation.
Beyond compliance, our goal is twofold:
save you time on technical aspects and help you anticipate future regulations such as the CRA in 2027.
Building solid cybersecurity foundations today may seem demanding, but it will make it far easier to adapt to future requirements.
Les articles 3.3 (d), (e) et (f) de la RED ne sont pas de simples ajouts réglementaires.
Ils répondent à une question simple : comment éviter qu’un objet connecté devienne une porte d’entrée pour des menaces externes ?
Let’s look at some of the most common situations you might face:
If your device was placed on the market before RED came into effect, you can continue selling existing stock.
However, any new unit placed on the market — even identical — must now comply with RED requirements.
Even if the product itself hasn’t changed, any unit sold after August 1, 2025, counts as a new placement on the market.
Result: each unit must be RED-compliant.
If the update affects the product’s cybersecurity (e.g., new network features, changes to authentication, processing of new personal data, etc.), it may trigger a re-certification requirement.
In that case, you’ll need to update your risk analysis, design documentation, impacted tests, and EN 18031 self-assessment report before deployment.
This is the perfect moment to integrate RED compliance from the start.
A secure-by-design approach avoids costly fixes later and ensures your product is robust when it reaches the market.
Regulation keeps evolving.
The Cyber Resilience Act (CRA), adopted in 2024 and applicable from December 2027, expands the scope even further:
No need to panic: the best practices you put in place for RED form a strong foundation for CRA compliance.
However, this continuity mainly concerns hardware and radio equipment — CRA will apply differently to cloud services and mobile apps.
Preparing now for this compliance roadmap will help you avoid redundant work and control adaptation costs later on.
Want to discuss your compliance roadmap?
Let’s talk about how we can help you make your products secure, compliant, and future-ready.
Contact us !
Un peu de lecture
Des articles, des podcasts, des webinars… et surtout des conseils pratiques ! En bref, une collection de ressources pour mener à bien votre projet.
