Cybersecurity for Radio Equipment

The cybersecurity for radio equipment placed on the European Union market is at a crucial regulatory turning point. August 1, 2025, marks the full application date for the essential requirements introduced by the Delegated Regulation (EU) 2022/30, which activates specific provisions of the Radio Equipment Directive (RED – 2014/53/EU). From this date, compliance with these requirements becomes mandatory.

The regulation aims to raise the level of cybersecurity for wireless products to protect networks, user privacy, and financial transactions.

The three new pillars of security

The Regulation is based on three essential requirements that connected radio equipment must meet.

• Network protection (Art. 3.3d): Devices must not harm the network or its functioning, nor misuse network resources, thereby causing an unacceptable degradation of service.
• Privacy and data protection (Art. 3.3e): Products must incorporate safeguards to ensure the protection of personal data and the privacy of users and subscribers.
• Fraud protection (Art. 3.3f): Devices must support features that ensure protection from fraud.

Harmonised standards: the EN 18031 series

To facilitate the compliance process, the European Commission has published Implementing Decision (EU) 2025/138, which harmonises the technical standards of the EN 18031 series. The application of these standards provides a “presumption of conformity” with the essential requirements.

The presumption of conformity is a cornerstone of European technical harmonisation legislation. It provides a legal advantage whereby a product manufactured according to the specifications of a harmonised standard is legally presumed to comply with the essential requirements of the directive it covers. This principle is of fundamental importance because it offers manufacturers a clear and recognised technical path to demonstrate compliance, simplifying access to the entire single market and thus promoting the free movement of goods within the EU.

Below is the correspondence between each part of the standard and the specific requirement.

• EN 18031-1: Network Protection, implements the requirement of Article 3(3)(d) of the RED. It applies to any radio equipment that connects to the Internet (e.g., smartphones, routers, smart TVs).
• EN 18031-2: Privacy and Personal Data Protection, implements the requirement of Article 3(3)(e) of the RED. It applies to radio equipment capable of processing personal data and specifically covers childcare equipment, toys, wearable devices, and other internet-connected equipment.
• EN 18031-3: Fraud Protection, implements the requirement of Article 3(3)(f) of the RED. It applies to internet-connected radio equipment that enables the transfer of money, monetary value, or virtual currency.

Restrictions and consequences

The presumption of conformity granted by these standards is subject to important restrictions.

Specifically, it is not recognised if the product allows the user to not set an authentication password or, for relevant product categories, is not equipped with an effective parental control system.

The consequence of these limitations is of significant practical importance. If a product does not meet the restrictive conditions set by the standards, the manufacturer cannot benefit from the presumption of conformity. In such cases, the intervention of a Notified Body becomes mandatory to certify compliance with the cybersecurity requirements.

Implications of the deadline

As of August 1, 2025, it will no longer be possible to place non-compliant products on the Union market. Compliance with these new rules becomes, in effect, an essential condition for legally affixing the CE marking to the product and ensuring its commercialisation. Radio equipment falling within the scope of Delegated Regulation (EU) 2022/30 must, therefore, be fully compliant with the new cybersecurity requirements to be legally marketed.