The Radio Equipment Directive (RED) update – everything you need to know

EU’s Radio Equipment Directive  has been in force since 2016. The directive will be updated next year with new 3.3 d/e/f cybersecurity specifications. All individual radio products placed on the EU market after 1.8 2025 will have to comply with the new requirements.  

Here is a summary of everything you need to know about the Radio Equipment Directive update. Make sure to contact us – our experts at Huld are ready to help you meet the requirements!  

What is the Radio Equipment Directive? 

The Radio Equipment Directive (RED) is a regulation for the design, manufacturing and placing on the market of radio equipment in the European Union. The Directive is updated by a new delegated regulation 3.3 d/e/f, which aims to improve the security of wireless devices by setting uniform requirements for them.   

Radio equipment includes wireless electrical and electronic equipment that emits and receives radio waves or has a built-in radio component for wireless connection (e.g. WiFi, Bluetooth, NB-IoT). The security requirements apply to all wireless devices connected to the Internet directly or through another device.  

The directive covers, for example: 

• IoT devices that transmit data over the internet, such as a wireless thermometer and humidity sensor 
• Industrial wireless devices connected to the Internet 
• Smartphones, tablets, wireless cameras, speakers, and headphones 
• Wearable devices such as smartwatches, sports watches and activity trackers 
• Remote-controlled toys and childcare equipment, such as baby monitors 

What does the Radio Equipment Directive Oblige to? 

Manufacturers and importers of radio equipment must ensure that their products meet the criteria of the Directive. In addition, manufacturers and importers must ensure that in the event of security problems, they can be corrected and updated.  

Key obligations of Article 3.3 d/e/f cybersecurity specifications: 

• Article 3.3 (d) – Radio equipment does not damage the network or its operation, nor misuse network resources, thereby causing degradation of service. 
• Article 3.3 (e) – Radio equipment includes security measures to protect the personal data and privacy of the user. 
• Article 3.3 (f) – Radio equipment supports certain features that protect against fraud. 

More detailed harmonised standards are not yet available. The standards, under development of CEN/CENELEC, are expected to be ready in summer 2024. These harmonised standards will support the key obligations and include more detailed technical requirements for radio equipment. Examples of possible technical requirements can be found in the EU’s standardisation request. 

In the standardisation request, the requirements would cover, for example: 

• Appropriate authentication and access control mechanisms 
• Automated and secure mechanisms for updating software or firmware 
• Mechanisms to mitigate DDoS attacks. 

What happens if you don’t comply with the requirements? 

All individual radio products placed on the EU market after 1.8 2025 will have to comply with the new cybersecurity requirements. However, older equipment that has already been placed on the EU market can continue to be used until the end of their life cycle without any special adaptation.  

If radio equipment does not meet the new information security requirements, it will not receive the CE marking. The CE marking indicates that the device complies with the requirements of the EU legislation. Without this marking, the device cannot be placed on the EU market or used in the EU. The conformity of radio equipment sold and used in Finland is supervised by the Finnish Transport and Communications Agency Traficom.  

Our experts are ready to help you!

The updated Radio Equipment Directive will affect all manufacturers who place radio equipment on the EU market. Although harmonised standards have not yet been published, you should start preparing for compliance now, regardless of the current stage of your product development. 

Our cybersecurity experts will help you meet the requirements of the new regulation to keep your products on the EU market. Our professionals are specialized in cybersecurity standards that underpin the future requirements. These include ETSI EN 303 645 and ISA/IEC 62443-4-2 Industrial Control System Cybersecurity standard. 

Contact us
Tarmo Kellomäki
Director, Digital Security & Functional Safety
+358 44 562 5222