EU's RED directive mandates cybersecurity (EN 18031) for connected devices. SECO supports OEMs with secure platforms, active protection, and streamlined compliance.
On August 1, 2025, the Radio Equipment Directive (RED) of the European Union (EU) will be expanded to include new cybersecurity requirements, which will require compliance with the technical standard EN 18031. The EN 18031 is aligned in three parts with Articles 3.3 d, e, and f of the RED directive, which cover protection for networks, for data and privacy and for fraud prevention. From August 1, 2025, industrial companies that produce network-compatible devices for the EU market must comply with the new RED directive requirements. With this, cybersecurity is no longer optional, but a regulatory obligation, impacting product design, certification processes, and time-to-market.
With the RED Directive, the EU wants to change the security landscape so that all devices connected to the internet operate at the same security level. However, this poses major challenges for manufacturing companies. Navigating through the jungle of requirements alone to understand all the practical implications is extremely complex.
This blog translates the new RED requirements into practical and actionable instructions for all industrial sectors and explains how companies can comply with these extensive requirements for their devices.
Understanding the RED Cybersecurity Requirements
The RED Directive (Directive 2014/53/EU) covers all devices that transmit or receive radio waves and are placed on the EU market. This applies to a wide range of industrial products that use Wi-Fi, LTE, BT or other wireless IoT devices. The directive will be expanded with the new requirements throughout the EU on August 1, 2025 and introduces mandatory cybersecurity requirements for the devices described. Among other things, manufacturers of these devices must ensure that:
- Networks are protected from unauthorized access
- Users’ personal data is protected
- Fraud in digital communication is prevented
The most important standard within the RED Directive is EN 18031, which is divided into three parts and forms the technical basis for compliance with this directive. The standard also regulates compliance with the conformity requirements for CE marking.
OEMs manufacturing devices for the EU market must be aware of their responsibilities to ensure compliance for every level of their end product, including the entire product and not just a single radio module within the end product. This places the responsibility for compliance squarely on the shoulders of the end device manufacturer.
Practical Impact on the Industrial Sector
In industry, non-compliance is not only a legal risk, but also a direct threat to business continuity and safety. The following explains what the articles of EN 18031 mean for typical industrial plants and the devices used in them.
Network Protection (Art. 3.3d): Take, for example, an HMI or a gateway that is connected to the Internet via Ethernet. The device must not represent a weak point in the company network through which hackers can gain unauthorized access to company data. This requires features such as secure boot to verify the authenticity of the firmware, validation of firmware integrity during boot and update, and the use of secure protocols to prevent unauthorized access.
Data & Privacy Protection (Art. 3.3e): Any device that processes operational or personal data must employ end-to-end encryption (e.g., TLS, AES) for data in transit and at rest, along with robust user and device authentication mechanisms. The principle of “privacy by default,” which involves minimal data collection, should also be applied.
Fraud Prevention (Art. 3.3f): This is critical for preventing tampering. For industrial machinery, this means using digitally signed firmware and updates, implementing tamper resistance mechanisms like fuse protection, and enabling rollback protection to prevent reinstallation of vulnerable software versions.
Companies that implement the directives in time reduce violations of applicable law and high contractual penalties and create trust for consumers by providing safe products. They also create a competitive advantage over manufacturers who do not implement the directives or only partially implement them.
Accelerating RED Compliance
Industrial companies should be aware that meeting these comprehensive technical requirements is a complex, resource-intensive task that can delay market launch. Failure to comply could result in the loss of CE marking, withdrawal from the market, and significant fines.
SECO addresses these challenges in meeting CRA requirements by delivering hardware and software platforms engineered for compliance, integrating native security features from silicon vendors and advanced protection technologies such as firmware validation, real-time monitoring, and automated software bill of materials (SBOM) generation. The company also relies on strong partnerships that enable industrial companies to comply with the stringent requirements of the RED directive. In the following, we would like to introduce you to some of the functions that SECO uses to ensure compliance with safety requirements.
Foundation with Clea OS: SECO’s Clea OS provides the essential features for RED compliance. It is a hardware-agnostic operating system, based on Yocto Linux, which facilitates meeting the cybersecurity requirements in EN 18031-1, handling critical functions like secure boot and firmware validation. Clea OS integrates silicon vendor security technologies natively, delivering a fully secure and compliant product experience with minimal configuration from the customer.
Critical Runtime Protection with Exein: SECO has chosen Exein as a strategic partner to provide advanced, runtime anti-intrusion protection. While RED compliance is essential, active defense is critical. Exein’s embedded technology offers real-time processor execution analysis, automated vulnerability detection, and in-memory protection. This means it can detect and stop attacks as they happen by monitoring deviations from expected behavior at the system level. This moves beyond a static compliance check to provide robust, active security for deployed devices.
Streamlined Certification: SECO provides customers with technical support and the necessary documentation for all parts of the EN 18031 standard, significantly reducing the complexity and effort required from internal teams to achieve final product certification.
Conclusion
The upcoming August 2025 RED deadline is transforming the regulatory landscape. While this presents a challenge, it’s also an opportunity to build fundamentally more secure products. Partnering with SECO allows companies to offload the complexity of compliance and, with the power of Exein, deploy devices with active runtime protection that goes far beyond the minimum requirements.
Contact a SECO expert today to future-proof your products and ensure your continued access to the EU market.