Radio Equipment Directive: A New Cybersecurity Chapter
On 1 August 2025 the Radio Equipment Directive (RED) entered a new phase for the EU market. What used to be a radio/spectrum framework has become a baseline for cybersecurity compliance across most connected products. Phones, routers, wearables, IoT sensors—if it talks to a network, it now lives under a tougher playbook.
Three levers drive the shift: Article 3(3)(d) on network protection, 3(3)(e) on personal data safeguards (with extra attention to toys/childcare/wearables), and 3(3)(f) on fraud prevention. Their technical expression is the EN 18031 series, which turns high-level legal duties into testable security outcomes: access control, secure updates, storage/comms security, monitoring, and resilience.
What changes in practice
The new technology regulations push manufacturers to prove they’ve embedded security by design—strong authentication, sane defaults, hardened update paths, and meaningful logging. That’s good news for users and for providers tired of botnets fueled by cheap, insecure devices.
The flip side: implementation isn’t trivial. EN 18031 can limit self-declaration, nudging products toward Notified Body reviews when features (e.g., open firmware loading) break the assumptions behind presumption of conformity. Real costs rise, timelines stretch, and market entry becomes a governance exercise as much as an engineering one.
Innovation vs. lock-down
Here lies the tension. Security hardening is essential, but blunt restrictions risk collateral damage to openness, repairability, and research. Projects that rely on custom ROMs or community firmware can be caught in the compliance crossfire, even when their security posture is exemplary.
The EU’s broader policy mix complicates the picture: Right to Repair and the Digital Markets Act promote user choice and longevity, while strict readings of RED may incentivize locked bootloaders and closed ecosystems. Smart guidance is needed so cybersecurity regulations don’t quietly erode user agency.
Looking ahead
RED isn’t the end of the journey. The upcoming Cyber Resilience Act will raise the floor again, and overlapping regimes will make compliance a continuous discipline. Treat RED as more than a checkbox: it’s a chance to build trust, reduce incident costs, and differentiate on engineering quality.
A pragmatic playbook: map product features against EN 18031; document threat models and secure-update chains; avoid dark corners (weak password policies, silent telemetry); and, where openness matters, design for user-enrollable keys and verifiable modding paths. That’s how technology regulations and innovation can coexist.