RED-DA: new cybersecurity regulatory framework for connected products in the EU

Jul 25, 2025 | Blog | 0 comments

From August 2025, cybersecurity will be mandatory on your devices: this is what the RED-DA requires.

The rise and rapid evolution of technologies and connected devices promoted by digital transformation in recent years have opened up a huge range of possibilities and conveniences for users and businesses. However, they also bring with them the emergence of cybersecurity risks and challenges for any type of connected device that must be addressed, such as communications security, data protection, and fraud detection and prevention.

In this context, the European Commission has developed the Delegated Regulation of the Radio Equipment Directive 2022/30, published in 2022 and better known as RED-DA. This regulation amends the current Radio Equipment Directive (RED 2014/53/EU) and will be mandatory from 1 August 2025

 

WHAT IS DIRECTIVE 2014/53/EU?

To understand the implications of RED-DA, it is first necessary to put Directive 2014/53/EU on radio equipment (RED) into context. Since 2016, this directive has regulated all electrical or electronic equipment marketed in the European Union that is a receiver and/or transmitter of wireless communications and that, in summary, meets two main characteristics:

  • They intentionally transmit or receive radio waves between 9 kHz and 3000 GHz.
  • They communicate using wireless technologies such as 5G, LTE, Wi-Fi, Bluetooth, Zigbee, LoRa, GNSS, etc.

It should be noted that not all communications equipment is covered by RED by default; the following are exempt:

  • Communications equipment that does not incorporate radio frequency transmitters or receivers or that incorporates exclusively wired communications (e.g. Ethernet routers without Wi-Fi).
  • Equipment covered by other specific regulations, such as aviation and aeronautical equipment, maritime communications equipment, certain medical devices, drones, vehicles, electronic toll devices or equipment intended for defence use.

In terms of scope, RED establishes essential requirements to ensure:

  • The health and safety of the user (Art. 3.1 (a))
  • The electromagnetic compatibility of equipment, commonly abbreviated as EMC (Art. 3.1(b))
  • The efficient use of the radio spectrum (Art. 3.2)
  • Features such as the use of common chargers, user data protection, fraud protection and others, some of which have been optional until now (Art. 3.3).
reda blog

WHAT IS A DELEGATED ACT AND WHAT DOES RED-DA IMPLY?

A delegated act is a legal tool that allows the European Commission to amend elements of existing legislation, such as directives, without having to go through the legislative process of the Parliament and the Council. It is a more agile way of adapting rules and legislation to new needs, technologies or risks. In this case, the Commission has used Delegated Regulation 2022/30 to activate three sections of Article 3.3 of RED and make them mandatory:

  • Article 3.3(d): The equipment must not damage the network or misuse its resources, causing a degradation of service.
  • Article 3.3(e): Equipment must adequately protect personal data and user privacy.
  • Article 3.3(f): Equipment must include mechanisms to prevent fraud, such as unauthorised access or payments.

These requirements, which will be legally enforceable from 1 August 2025, affect a wide range of products with wireless communications, such as consumer IoT devices, smart locks, connected toys, wearables, remote control systems, virtual assistants, routers, etc.

From that date onwards, any device subject to RED-DA must comply with these cybersecurity requirements as an essential condition for obtaining the CE marking and being legally marketed in Europe.

To ensure the cybersecurity of radio equipment in accordance with RED-DA, the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation have developed the EN 18031 standard, which allows equipment to be tested and certified for compliance in three key components:

  • EN 18301-1:2024: Network protection – general cybersecurity requirements for equipment connected to the internet. (RED-DA art. 3.3 (d).
  • EN 18301-2:2024: Protection of personal data and privacy – requirements for equipment processing personal, traffic or location data.
  • EN 18301-3:2024: Protection against fraud – requirements for equipment processing monetary transactions or virtual currency.

This harmonised standard provides both a description of the requirements to be met by each type of device and justification, evaluation criteria and guidance for them. 

 

WHAT IMPACT DOES RED-DA HAVE ON THE DEVELOPMENT AND UPDATING OF DEVICES?

Both this Regulation and the Cyber Resilience Act (CRA), which will be mandatory from 2027, have a significant impact on the development of new devices, but also on the updating of those already on the market and for which new versions are being prepared or launched from 1 August 2025. This impact affects different aspects of the design and development of devices with wireless communications, which can be summarised in three fundamental pillars:

  • The integration of cybersecurity measures into the design from the initial architecture design phase, such as isolation of memory sections and critical functions, communications encryption, authentication methods and secure management of remote updates (OTA).
  • The selection and incorporation into the design of hardware components, processing elements (microcontrollers, SoCs, SoMs, etc.) and communications modules that support hardware and software security features, such as secure boot, memory zone isolation, key management and verification, and tamper detection.
  • The incorporation of cybersecurity as a basic criterion in the design and development of device firmware, implementing robust and demonstrable mechanisms.

In addition to incorporating these measures into product design and development, manufacturers must demonstrate compliance with applicable standards. As with other standards, there are two ways to comply with RED-DA: carry out a self-assessment process or go to a notified body.

At ITCL, we offer a comprehensive and practical approach that covers the entire cycle of design, development, validation and certification support to help device manufacturers comply with RED-DA and anticipate the Cyber Resilience Act. In this way, we help launch, maintain and update products on the market in full regulatory compliance. To this end, we offer key services that can be applied at any point in the product life cycle according to specific needs in order to comply with both RED-DA and other types of regulations and standards:

  • Design and redesign of embedded hardware applying physical and logical cybersecurity principles and components.
  • Development of secure firmware and software with integration of cryptographic mechanisms, secure boot, protected partitions (TrustZone, MPU/MMU) and secure remote updates (OTA).
  • Hardware and firmware validation applying evaluation criteria in accordance with applicable regulations.
  • Advice on the selection of regulations, applicable tests, selection of test laboratories and management of testing and marking processes.
  • Hardware and firmware optimisation to correct non-conformities.
  • Analysis of compliance with applicable regulations and generation of technical documentation for marking and approval files.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.