Introduction and legal framework
IoT (Internet of Things) has seen incredible diffusion in the last decade thanks to the implementation of technologies such as Wi-Fi, Bluetooth and NFC, making products interconnected, behaving like radio equipment, and entering homes and industrial facilities all over the world. In the cybersecurity sector, IoT devices are commonly considered a critical security risk. Just as endpoints in the smart home sector are still poorly secured or not secured at all, manufacturing and industrial facilities sometimes have major gaps in IT and OT security. The appalling figure of €5.5 trillion is the global economic cost of cybercrime in 2020, according to a research published by the Council of the European Union, and according to a 2022 study by Trend Micro, 90 percent of German companies in the power, oil and gas, and manufacturing sectors said they had been affected by cyberattacks within 12 months, which resulted in an average damage of about 2.9 million euros. Lately, the spread of wearable devices on the one hand and on the other hand the ever-growing importance of data protection, especially with AI data-driven systems gaining a primary role in the market offering of OEMs and manufacturers, have strengthened the necessity for going beyond GDPR (Regulation (EU) 2016/679) and R&TTE Directive (99/5/EC), which, given the timeframe they were conceived in and came into effect, did not consider many aspects of cybersecurity threats which are now very real and very important to be taken into account.
In the European single market framework, the RED directive establishes requirements for electromagnetic compatibility (EMC), electrical safety, and the effective and efficient use of the radio spectrum (RF), which are primarily dependent on hardware and low-level software. In addition to these existing mandates, starting August 2025, the directive will also introduce cybersecurity requirements, which will be primarily influenced by high-level software. The European Radio Equipment Directive (RED) 2014/53/EU has been in effect since June 13, 2016, replacing the previous R&TTE Directive 1999/5/EC and using most of the definitions contained in GDPR. To enhance cybersecurity and data protection, the European Commission adopted Delegated Regulation (EU) 2022/30 on October 29, 2021, supplementing the RED through EU RED cybersecurity mandates under Articles 3(3)(d), (e), and (f).
The specific categories of radio equipment affected by this regulation include:
- Internet-Connected Radio Equipment: Devices capable of communicating over the internet, either directly or through other equipment. This encompasses a wide range of consumer electronics such as smartphones, tablets, and wearables.
- Radio Equipment Designed or Intended Exclusively for Childcare: Devices specifically designed to monitor or assist in childcare, including baby monitors.
- Radio Equipment Covered by the Toy Safety Directive 2009/48/EC: Toys that incorporate radio functions and are capable of recording, storing, or sharing information, interacting with users (especially children), or integrating components like speakers, microphones, or sensors.
- Wearable Radio Equipment: Devices designed to be worn on, strapped to, or hung from any part of the human body or clothing. Examples include smartwatches, fitness trackers, headsets, earphones, or smart glasses.
Notably, medical devices are excluded from the provisions contained in the Delegated Regulation (EU) 2022/30, since they are subject to their own specific cybersecurity provisions under Regulations (EU) 2017/745 and (EU) 2017/746. The same applies to other devices already covered by existing EU regulations, excluded from the scope of the RED directive, such as civil aviation (Regulation (EU) 2018/1139), electronic road toll systems (Directive 2019/520) and more.
This Radio Equipment Directive compliance regulation was initially set to apply from August 1, 2024. However, to provide manufacturers with additional time to comply, the European Commission extended the application date by one year. The new mandatory compliance date for Delegated Regulation (EU) 2022/30 is now August 1, 2025 - a term right around the corner for Manufacturers, which should consider accelerating the implementation of technical measures to comply with the additional requirements, Distributors of Manufacturers’ devices containing connectivity modules and Integrators/OEMs, which should take into account the new requirements when developing their integrated, connected product using Radio Equipment produced by Manufacturers.
Technical Features for the Protection of Privacy, Personal Data, and Against Fraud
The Delegated Regulation (EU) 2022/30 supplements the Radio Equipment Directive (RED) through three critical articles, each addressing specific cybersecurity-related mandates for radio equipment.
- Article 3(3)(d) addresses all common cybersecurity requirements specifically for internet-connected radio equipment. This provision stipulates that radio equipment must be designed so as not to harm the network or its functions, misuse network resources, or cause unacceptable service degradation, preventing the device from disrupting website or services’ functionality.
- Article 3(3)(e) includes common security requirements specifically targeting radio equipment that processes personal data. Under this article, radio equipment must incorporate safeguards ensuring the protection of users' and subscribers' personal data and privacy, prescribing measures to prevent unauthorized access or transmission of consumers’ personal data.
- Article 3(3)(f) introduces requirements aimed at preventing fraud. Specifically, it covers radio equipment capable of processing virtual money or monetary values, requiring these devices to support specific security features such as better user authentication control that protect against fraudulent activities.
Additionally, the RED recognizes the potential risks associated with the combination of radio equipment and software, particularly concerning compliance after modifications. Article 4 requires manufacturers to provide information on the compliance of intended combinations of radio equipment and software. This ensures that, after the installation of new or modified software, the radio equipment remains compliant with the directive's essential requirements.
How to comply?
As of January 28, 2025, the European Commission harmonized three EN 18031 standards under the RED directive, establishing a clearer path for manufacturers to demonstrate cybersecurity compliance. However, it's crucial to note that certain clauses within these standards carry specific restrictions. This means manufacturers cannot automatically assume full compliance by merely adhering to these harmonized standards. For example, products allowing user operation without mandatory password protection, or products lacking necessary parental access controls, may require additional compliance actions beyond the standards themselves.
In such scenarios, manufacturers should engage directly with a Notified Body—an organization designated by an EU country responsible for assessing product conformity before market placement. Notified Bodies carry out tasks related to conformity assessment procedures defined by applicable legislation whenever third-party evaluation is required. The European Commission maintains an official list of such bodies. Engaging with a Notified Body ensures that manufacturers' products meet all cybersecurity-specific requirements outlined by RED, accounting for any limitations within the harmonized standards.
Additionally, manufacturers should proactively implement robust cybersecurity measures, including secure boot mechanisms, mutual authentication, and consistent security update practices. Such practices not only satisfy RED's essential objectives of safeguarding personal data and preventing fraud but also strengthen overall device security.
Given the dynamic regulatory landscape, manufacturers must stay continuously informed about updates to harmonized standards and broader RED cybersecurity requirements. Regular dialogue with industry experts such as SECO and participation in relevant training sessions or workshops can significantly support compliance readiness.
The Role of SECO and Clea
SECO has a strong track record in R&D and quality assurance, positioning itself as a trusted partner committed to navigating evolving regulatory frameworks such as the Radio Equipment Directive (RED). SECO continuously monitors developments in IoT device regulatory standards, actively engaging with certification laboratories and maintaining an open dialogue with customers to ensure readiness and support for upcoming compliance requirements.
SECO’s comprehensive IoT software suite, Clea, offers significant value for manufacturers striving to align with the upcoming RED cybersecurity mandates. Clea provides powerful tools for secure data orchestration, device management, and AI-driven applications, making it a strategic solution for manufacturers proactively working towards RED compliance. With features like mutual SSL authentication, certificate rotation, and secure OTA (Over-the-Air) updates, Clea enhances endpoint security management and network integrity, helping manufacturers build robust cybersecurity frameworks that address future regulatory needs. And thanks to the integration of the Exein premium platform for cybersecurity of IoT devices and specifically the integration of the Runtime Security and the Analyzer, the connected fleet is safeguarded in real time, and vulnerabilities are detected before and after deployment automatically.
Additionally, Clea serves as an enabling platform for manufacturers transitioning toward servitization, offering capabilities such as data monetization, subscription models, and integrated AI/ML pipelines via Clea Portal. Through this proactive approach, SECO demonstrates its commitment to assisting clients in addressing regulatory compliance challenges while unlocking new opportunities for growth and innovation.
Visit SECO.com to discover how SECO can help companies develop RED-compliant smart products with cutting-edge IoT security, servitization capabilities, and seamless connectivity.