From 2025, the European Union is raising the bar for cybersecurity in every connected device that uses radio technologies. If your product communicates via Wi-Fi, Bluetooth, cellular, Zigbee, LoRa, or any other radio interface, its path to the EU market now runs through a new compliance regime: RED cybersecurity requirements, the EN 18031 harmonised standards, and the Delegated Regulation (EU) 2022/30.
This shift is not small. It redefines how manufacturers must design, build, document and maintain connected devices. It also turns cybersecurity into an essential requirement for CE marking.
Below is a clear explanation of what this new landscape means — and how Berezha Security Group (BSG) can help you meet it.
What is changing: the new EU cybersecurity baseline for radio equipment
The foundation is the Radio Equipment Directive (RED) – Directive 2014/53/EU. RED has long governed RF safety, EMC, and spectrum use. But Article 3(3)(d)(e)(f) adds a less-visible layer: cybersecurity, privacy, and fraud protection. These clauses were dormant for years. That changes with the Commission Delegated Regulation (EU) 2022/30. It activates those cybersecurity clauses for specific device categories, including:
- internet-connected radio equipment
- toys and childcare devices with radio interfaces
- wearable radio equipment
- devices processing personal, traffic, or location data
- radio-enabled equipment supporting monetary or value transactions
This delegated act becomes fully applicable on 1 August 2025. To make compliance possible, the EU published new harmonised standards: EN 18031-1:2024 and EN 18031-2:2024, with a third part for financial-transaction devices. They give manufacturers a clear technical route to “presumption of conformity” with the RED cybersecurity requirements.
Why this matters: EU market access now depends on cybersecurity
For businesses entering or staying in the EU market, these rules are not optional. They directly affect:
- the ability to obtain CE marking
- liability exposure for insecure or privacy-violating behaviour
- acceptance by distributors, retailers, and certification bodies
- competitive differentiation in the IoT and consumer device market
- long-term product lifecycle obligations
Put simply: no cybersecurity, no EU market. This makes product security a board-level concern, not just a feature request. It also aligns RED with the upcoming Cyber Resilience Act (CRA), accelerating a future where insecure consumer devices simply cannot be sold in Europe.
What EN 18031 actually requires from manufacturers
EN 18031-1 and EN 18031-2 define a structured set of security and privacy controls for radio equipment. They cover:
- secure authentication and credential handling
- protection of network resources
- secure update mechanisms
- secure communication protocols
- protection of personal, traffic, and location data
- robust access control and user management
- parental/guardian controls (where applicable)
- lifecycle security and vulnerability handling
Manufacturers must produce objective evidence that these controls work. Contrary to common belief, the standards do not mandate penetration testing. They require demonstrable conformity, which can include structured testing, firmware review, design analysis, and lifecycle documentation. If the product deviates from the standard, a Notified Body may be required.
How BSG helps manufacturers achieve RED cybersecurity compliance
BSG has long helped global companies design and ship secure products. Under RED and EN 18031, our role becomes even more critical. We support manufacturers across the entire compliance lifecycle.
1. Security-by-design alignment
We map EN 18031 requirements into your product architecture and firmware. We help you embed the necessary controls early instead of scrambling to retrofit them later.
2. EN 18031 gap analysis and risk assessment
We assess your device against the applicable parts of EN 18031 and identify gaps in implementation, documentation, and process maturity.
3. Evidence generation and conformity documentation
We deliver the technical testing, analysis, and architectural evidence required for your CE technical file, including:
- structured security testing
- update mechanism validation
- credential and key-handling analysis
- data-flow assessment
- lifecycle and vulnerability-handling evaluation
4. Lifecycle and post-market compliance
We help you build processes for:
- secure updates
- coordinated vulnerability disclosure
- post-market monitoring
- long-term maintenance obligations
These elements are increasingly required not only by RED but also by the Cyber Resilience Act.
5. Executive-level and regulatory guidance
We prepare clear, strategic briefings for top management on:
- RED cybersecurity exposure
- EN 18031 compliance roadmap
- resource planning and cost expectations
- timelines for successful market entry
This turns regulatory pressure into a strategic advantage.
What CEOs and product leaders should do now
If you build or sell a radio-enabled or IoT product, start early. Hardware lead-times, firmware redesigns, testing cycles, and documentation take months.
You should:
- classify your device under the Delegated Regulation categories
- analyse EN 18031 applicability
- run a readiness and gap analysis
- begin integrating missing controls now
- prepare the technical file before August 2025
BSG can guide and execute each step.
Summary
The EU is moving toward a secure-by-default device ecosystem.
RED cybersecurity requirements, the Delegated Regulation 2022/30, and EN 18031 are the first wave. They make cybersecurity, privacy, and fraud-resilience essential for CE-marked radio equipment.
Manufacturers who adapt early will enjoy frictionless market access, regulatory stability, and a clear competitive advantage. Those who delay will face last-minute redesigns, certification hurdles, and lost market opportunities.
BSG stands ready to help you design secure products, meet EN 18031 requirements, and bring compliant devices to market on schedule.