Read time:00:10
Release date:6.26.2025
Are Your Connected Devices Ready for the New Requirements?
Time is running out. By August 1, 2025, all manufacturers placing CE-marked radio devices on the European market will be required to comply with new cybersecurity requirements under the EU's Radio Equipment Directive (RED).
If your connected products use Wi-Fi, Bluetooth, NFC, LTE/5G, or any other radio interface, this applies to you. Whether you're making smart home devices, industrial sensors, wearables, or embedded medical systems - if it’s radio-enabled, it’s in scope.
So, what exactly is changing? And how can your organization stay compliant without slowing down innovation? Let’s break it down.
What Is the RED Cybersecurity Mandate?
The Radio Equipment Directive (RED) ensures that radio-equipped products entering the EU market are safe and function as intended. While RED has been in force for years, the cybersecurity provisions under Articles 3.3(d), (e), and (f) become mandatory as of August 1, 2025.
These articles require that all relevant products:
- Protect network integrity – Devices must not harm the network or misuse its resources.
- Safeguard personal data and privacy – Devices must ensure confidentiality and proper handling of user information.
- Prevent fraud and misuse – Devices must be secure by design, minimizing the risk of malicious manipulation
The implementation of these requirements is supported by the new harmonized standards EN 18031-1, -2, and -3, which detail baseline cybersecurity expectations across the full lifecycle of radio equipment.
Learn more about RED and the harmonized standards under the RED → Radio Equipment Directive (RED) - European Commission
Which Products Are Affected?
If your product is network-connected via radio, it most likely falls under RED’s scope.
This includes:
- Consumer IoT devices (smart locks, speakers, TVs, lighting, etc.)
- Industrial and SCADA sensors and controllers
- Wearables and health-monitoring devices
- Embedded systems in connected appliances
- Children's toys with communication features
- Connected vehicle equipment
- Mobile-connected point-of-sale (POS) terminals
- Any other product with Wi-Fi, Bluetooth, NFC, cellular, etc.
What ties these categories together is the exposure to cyber threats - and the EU is mandating that manufacturers take security seriously, not just in code, but in overall system design and lifecycle maintenance.
What Do RED and CRA Really Expect in Terms of Threat Intelligence and Penetration Testing?
Radio Equipment Directive (RED) Cybersecurity Requirements
As already mentioned above, under Articles 3.3(d), (e), and (f), the RED requires that manufacturers ensure CE-marked radio equipment:
- Does not harm network functionality
- Protects personal data and privacy
- Includes safeguards against fraud
To meet these goals, the new harmonized standards EN 18031-1, -2, and -3 (released in August 2024) expect manufacturers to implement technical controls and documented processes for:
- Risk assessment and threat modeling relevant to the device's functions and interfaces
- Security design and testing of critical components such as authentication, update mechanisms, and wireless interfaces
- Security validation through testing, including penetration testing to confirm that protections are effective in real-world scenarios
- Monitoring of known vulnerabilities and use of threat intelligence to assess exposure throughout the product lifecycle
Penetration testing is not optional - it’s expected as part of demonstrating protection against reasonably foreseeable threats. That includes both interface-level testing (e.g., BLE, NFC, Wi-Fi, or cellular) and system-level evaluation of attack paths involving cloud, app, or hardware integrations.
EN 18031‑1:2024 (A 2.3) requires manufacturers to perform continuous threat modeling and security risk assessments - keeping abreast of vulnerabilities and integrating that knowledge into design, patching, and risk management processes. Although threat modeling and threat intelligence are distinct, TI informs and enhances threat modeling in several important ways, therefore using threat intelligence is a best practice that improves the quality and effectiveness of threat modeling.
EN 18031-1:2024, the harmonized standard supporting RED Articles 3.3(d)-(f), requires risk analysis, security design, and validation activities proportionate to the threats a device is exposed to. Amongst others it calls for justification like "an analysis of relevant risks related to the operation of the equipment within its reasonably foreseeable use and intended equipment functionality."
This mirrors language in other EU regulations, including:
- General Product Safety Directive (GPSD): Requires protection against “foreseeable risks.”
- Cyber Resilience Act (CRA): Also uses language such as “expected use” and protection against known vulnerabilities, implicitly referring to threats that are reasonably foreseeable based on current threat intelligence.
Cyber Resilience Act (CRA)
The CRA, approved by the EU Parliament in March 2024, will apply to virtually all connected products sold in the EU - including both hardware and software. It goes even further than RED, requiring that:
- Manufacturers perform and maintain a cybersecurity risk assessment
- Products are secure by design and default
- Critical vulnerabilities are reported within 24 hours
- Products undergo conformity assessments, including vulnerability testing
- Manufacturers maintain cybersecurity support for the entire lifecycle (minimum 5 years for most products)
Like the RED, CRA emphasizes the technical validation of security claims - including real-world testing of components and systems. The CRA’s Annex I. Part II (3) and Annex II requires to "apply effective and regular tests and reviews of the security of the product with digital elements" and that "the supporting evidence shall include, where necessary, the results of tests carried out by the appropriate laboratory of the manufacturer, or by another testing laboratory on its behalf and under its responsibility" as part of the cybersecurity conformity assessments.
Moreover, the CRA also underscores the importance of continuous monitoring of threat intelligence sources and known vulnerability databases to ensure timely mitigation and reporting.
How Are RED and CRA Connected?
The RED applies specifically to radio-enabled products (via the CE-marking framework), the CRA applies more broadly to all connected hardware and software entering the EU market.
Here's the connection:
- If you are already working to comply with the RED’s cybersecurity articles, you're addressing a subset of the CRA requirements.
- The RED is a “sector-specific” regulation, while the CRA is horizontal, meaning that the CRA serves as a legal umbrella - and the RED, where it overlaps, must align with it.
- For devices in scope of both, the requirements are complementary: the RED gets you part of the way there, but not fully CRA-compliant. The CRA adds deeper lifecycle obligations, vulnerability disclosure duties, and broader product security expectations.
In practice, this means:
- Threat intelligence, vulnerability tracking, and penetration testing are central to both regulations.
- Investing in product-focused cybersecurity now for the RED will ease your CRA compliance efforts in the coming 1–2 years.
- Manufacturers should aim for CRA-level rigor in RED preparations - especially for risk management, testing, and documentation.
Why Secure Coding Isn’t Enough
While secure coding is essential, it doesn't guarantee protection against real-world attackers who think creatively, combine vulnerabilities, and exploit overlooked weak spots - especially in devices with constrained hardware, legacy stacks, or mixed trust zones.
Compliance means resilience, and resilience requires understanding:
- How devices can be abused in the wild
- How attackers target wireless protocols, firmware, or update systems
- How exposed debug interfaces or backend APIs can be leveraged
- How cloud-connected or companion app-integrated devices can be hijacked
This is where product-focused threat intelligence and penetration testing make all the difference.
How PCA Cyber Security Can Help
At PCA Cyber Security, we work with leading manufacturers of embedded, IoT, and connected devices to help them meet RED cybersecurity obligations through:
- Tailored penetration testing of real-world attack vectors (RF, BLE, Wi-Fi, cellular, etc.)
- Threat intelligence mapped to your specific product class and use case
- Validation of secure boot, OTA updates, authentication flows, and encryption mechanisms
- Compliance-aligned documentation and technical evidence for MDR, RED, FDA, and more
- Support for risk-based prioritization and remediation to optimize your roadmap and meet deadlines
Our methodology goes beyond static checklists. We simulate what real attackers do - and deliver technical, actionable insights your product, compliance, and engineering teams can use.
Let’s Turn Intelligence into Action
The August 1, 2025 deadline is fast approaching. Don’t wait until your compliance team or notified body flags a gap - start building a secure foundation now.
Let’s explore how PCA’s Product-focused Threat Intelligence Platform (TICAP) and security services can support your RED compliance journey.
Book a free consultation with our experts!
Let’s make your connected products safer - for the users who depend on them and the markets you serve.
Article tags
red
radio equipment directive
embedded device security
connected device compliance
cra
cyber resilience act
threat intelligence
penetration testing
Latest Posts
July 10, 2025
June 13, 2025
Popular tags
pcautomotive
pcacybersecurity
automotive cybersecurity
automotive threat intelligence
penetration testing
threat intelligence
critical vulnerabilities
perfektblue
blue sdk
skoda