• Radio Equipment Directive (RED)

    Future-proof compliance for high-risk connected products

RED 2025: New EU Cybersecurity Regulation for Wireless Devices

From August 1, 2025, all wireless and internet-connected devices sold in the European Union will need to comply with the new cybersecurity requirements introduced by the European Commission under the Radio Equipment Directive (RED). This regulatory change impacts a broad range of products, including smartphones, IoT devices, wearables, and connected toys.

Yarix helps you navigate these new requirements and prepare your products for the European market, securely and on time.

Understanding the RED Delegated Act

The RED delegated act, introduced under Article 3(3) of Directive 2014/53/EU, is designed to enhance the security of radio equipment. It mandates specific cybersecurity safeguards in three key areas:

  • Network protection (Article 3.3(d)): Devices must avoid disrupting networks or communication services.
  • Protection of personal data and privacy (Article 3.3(e)): Measures must be implemented to prevent unauthorized access to personal data.
  • Anti-fraud requirements (Article 3.3(f)): Devices must include features that reduce the risk of electronic payment fraud.

These provisions aim to improve the baseline security of connected devices and better protect users and infrastructure from cyber threats.

Who Needs to Comply?

Any device that connects to the internet or transmits data wirelessly may fall within scope, including:

  • Smartphones and tablets
  • Connected cameras
  • Wearable fitness trackers and smartwatches
  • Smart toys and baby monitors
  • IoT and smart home devices


Certain categories are exempt, as they are regulated under separate EU frameworks like Medical devices, civil aviation systems, automotive radio components, and road toll equipment are regulated under other European frameworks and are not subject to these cybersecurity provisions.

Compliance Through Harmonized Standards: EN 18031

To demonstrate conformity with RED cybersecurity requirements, manufacturers can adopt the newly published EN 18031 series of harmonized standards. These standards are split into three parts, each addressing a different scope of device:

When applied in full (and without triggering specific restricted clauses) EN 18031 allows manufacturers to self-declare compliance through the Internal Production Control (IPC) process. If any restrictions apply, however, the manufacturer must involve a Notified Body (NB) to obtain EU-type certification.

 

RED vs CRA: Understanding the Context

It’s important to distinguish the RED requirements from those introduced by the forthcoming Cyber Resilience Act (CRA). While RED focuses on the cybersecurity of the device itself, including firmware, software, and interfaces, the CRA takes a broader lifecycle approach, covering everything from design to maintenance and decommissioning.

Despite this difference, RED compliance is not isolated. It forms a foundational element within the wider digital regulatory landscape and can help manufacturers prepare for the more extensive CRA obligations that will follow.

Discover how Yarix can help you reach CRA compliance

Your Compliance Options

Two main pathways to RED compliance

  • Internal Production Control (IPC)

    This route is available when EN 18031 standards are fully applied and no restricted clauses are triggered. It allows manufacturers to compile the technical documentation, sign a Declaration of Conformity, and place the product on the market without third-party intervention.

  • Notified Body Assessment

    If full application of EN 18031 is not possible or if alternative standards are used (such as EN 303 645 or ISA/IEC 62443), involvement of a Notified Body is required. Manufacturers can either obtain an EU-Type Examination Certificate or follow the more complex Full Quality Assurance process.

How Yarix supports your compliance journey

Complying with the RED delegated act is more than a legal requirement: it's a chance to enhance your product’s security and trust. Yarix provides tailored consulting to assess your product’s scope, identify compliance gaps, support certification with Notified Bodies, and guide you through technical documentation and testing.
Discover our RED Compliance services

Get Ready for August 2025

The RED delegated act comes into force in August 2025, but compliance planning should begin now. Early engagement can help avoid costly delays, redesigns, or certification issues. Yarix is ready to help you secure your products and your market access.

Deadline is approaching!

Contact us today to schedule a consultation and start your RED journey with confidence.