top of page

New RED Standards Published: Is Your Business Ready for Compliance?


New RED Cybersecurity Standards

Do you remember the Radio Equipment Directive (RED) Delegated Act (DA) on cybersecurity? In our previous blog post - The Ultimate Guide to RED’s Newest Cybersecurity Requirements - we introduced you to the RED DA, published in 2022, to boost the security of internet-connected radio devices. While the RED ensures devices meet essential health, safety, and performance standards, the RED DA added new cybersecurity requirements to protect users and networks from potential threats.


At that time, the standards manufacturers would need to follow were still in draft form. Now, there’s exciting news: the long-awaited EN 18031 standards have been officially published! Manufacturers have until August 1st, 2025 to comply, which is just around the corner. That means companies must act now and align their products with these new security guidelines.


To be more precise, although the EN 18031 series was published in September 2024, it has not yet been harmonized in the EU Official Journal (OJ), meaning it cannot technically be used for RED DA compliance yet. The European Commission is currently working on the harmonization.


EN 18031

To recap, the series is composed of three standards:


  • EN 18031-1: Addresses security and network risks for connected radio devices.

  • EN 18031-2: Focuses on security and privacy risks for radio devices that process personal data.

  • EN 18031-3: Covers security and financial risks for radio devices processing virtual currency.


These standards mainly address technical product requirements, leaving other considerations - like incident response and vulnerability handling and disclosure - to other legislation such as the Cyber Resilience Act and NIS2.


Relationship with other standards

Let’s focus on EN 18031-1, which addresses cybersecurity and network security. This standard is generally comparable to other well-established standards in the IoT field. Specifically, EN 18031-1 provides a mapping of its requirements to two well-known standards: ETSI EN 303 645, a key standard for cybersecurity in consumer IoT products, and IEC 62443-4-2, which focuses on technical security requirements for industrial control systems.


Although EN 18031-1 clearly states that certification under 62443-4-2 is not enough for full compliance, both standards offer solid coverage of many security principles.


Product compliance timing

Radio equipment shall comply with the legal requirements that were in place when it is placed on the market. A product is considered placed on the market when it is made available for the first time within the EU. This applies to each individual product, not just the product type, and whether it’s produced as a single item or in a series.

This means that starting from August 1st, 2025, every unit sold must be compliant with the RED Delegated Act.


How Security Pattern can help

We offer various consultancy services and training modules to support your organization with cybersecurity challenges.


Cybersecurity Training


  • Our training modules have been designed to introduce your team to IoT standards and legislation.


Compliance GAP analysis


  • Discover our Compliance Gap Analysis for IEC 62443 4 2 (product requirements) and for ETSI EN 303 645 (compliance assessment) 


SBOM and Vulnerability Management


  • SBOM is an important artifact requested by various regulations and standards. Creating, maintaining and sharing SBOMs are important practices to improve supply chain transparency: power up your product security with the ARIANNA platform.


Security Pattern’s cybersecurity experts have been supporting Device Manufacturers since 2017.





Comments


bottom of page