RED Cybersecurity
Requirements (2025/2026): What Manufacturers Must Know

Introduction

Cybersecurity is no longer optional for connected products in the European Union.

With the enforcement of cybersecurity requirements under the Radio Equipment Directive (RED), manufacturers of connected devices must ensure their products meet new standards related to data protection, privacy, and network security.

These changes, especially under Article 3.3, significantly impact how products are designed, tested, and certified for the EU market.

In this guide, we explain what changed in 2025/2026, which products were affected, and how manufacturers can comply.

What Is the Radio Equipment Directive (RED)?

The Radio Equipment Directive (RED) is the EU legislation that regulates wireless and radio-enabled products.

It ensures that products using radio technologies:

• Use the spectrum efficiently

• Do not cause harmful interference

• Are safe for users and networks

Traditionally, RED focused on RF performance, EMC, and safety.
Now, it has expanded to include cybersecurity requirements.

What Is Article 3.3 and Why It Matters

Article 3.3 of RED introduces additional essential requirements for certain categories of radio equipment.

The most relevant cybersecurity-related provisions include:

• Article 3.3(d): Protection of networks from harm

• Article 3.3(e): Protection of personal data and privacy

• Article 3.3(f): Protection against fraud

These requirements are now mandatory, meaning manufacturers must demonstrate compliance before placing products on the EU market.

What Changed in 2025/2026?

The key change is that cybersecurity requirements under RED has moved from being optional or inactive to fully enforceable.

This means:

• Manufacturers must demonstrate cybersecurity compliance

• Technical documentation must include cybersecurity aspects

• Products may require additional testing and evaluation

• CE marking will now include cybersecurity compliance

In practice, this adds a new compliance layer on top of existing RED requirements.

Which Products Are Affected?

The new requirements apply to a wide range of connected and wireless products, including:

• IoT devices (smart home, smart appliances)

• Wireless consumer electronics

• Connected industrial equipment

• Devices processing personal data

• Internet-connected radio equipment

If your product:

• Connects to the internet (even if indirectly)

• Processes user data

• Communicates with other devices

👉 It is very likely affected.

Role of EN 18031 (Cybersecurity Standard)

A key development is the introduction of EN 18031 cybersecurity standard, which provides a framework for demonstrating compliance with RED cybersecurity requirements.

This standard defines:

• Security requirements for connected devices

• Risk assessment methodologies

• Technical and organizational measures

Using EN 18031 can help manufacturers achieve presumption of conformity under RED.

What Do Manufacturers Need to Do?

To prepare for RED cybersecurity requirements, manufacturers should take the following steps:

1. Identify Applicability

Determine whether your product falls under Article 3.3(d), (e), or (f).

2. Perform Cybersecurity Risk Assessment

Assess risks such as:

• Unauthorized access

• Data breaches

• Network misuse

• Software vulnerabilities

3. Implement Security Measures

Examples include:

• Secure communication protocols

• Authentication mechanisms

• Encryption

• Secure firmware updates

4. Update Technical Documentation

Your technical file must now include:

• Cybersecurity risk assessment

• Security architecture

• Evidence of implemented controls

• Test results and validation

5. Plan for Testing and Validation

Depending on the product, this may include:

• Penetration testing

• Vulnerability assessments

• Functional security testing

6. Review CE Compliance Strategy

Cybersecurity must now be integrated into your overall CE marking process.

Do You Need a Notified Body?

This depends on how compliance is demonstrated:

• If harmonized standards (like EN 18031) are fully applied → self-certification is possible

• If not → involvement of a Notified Body may be required

This makes early strategy definition critical.

Common Challenges for Manufacturers

Many companies are not yet fully prepared for these changes. Common challenges include:

• Lack of cybersecurity expertise

• Unclear requirements and standards

• Difficulty integrating security into existing designs

• Incomplete technical documentation

• Underestimating testing complexity

Final Thoughts

The introduction of cybersecurity requirements under RED marks a major shift in EU product compliance.

Manufacturers must now treat cybersecurity as a core design and certification requirement, not an afterthought.

Those who prepare early will gain:

• Faster time to market

• Reduced risks

• Stronger product trust

Need Help with RED Cybersecurity Compliance?

Understanding and implementing RED Article 3.3 requirements can be complex, especially when combining RF, EMC, safety, and cybersecurity in one compliance strategy.

👉 TauroCert supports manufacturers in navigating RED cybersecurity requirements, including applicability assessment, certification strategy, testing support, and technical documentation.

Book a free consultation to discuss your product and prepare for compliance with confidence.