Regulatory update background:
With the popularity of Internet of Things (IoT) devices in the EU market, from smartwatches to baby monitors, billions of devices have become the core of daily life. However, the 2014 Radio Equipment Directive (RED) did not foresee this wave of growth, as the regulatory framework at that time did not cover cybersecurity protection. As a result, frequent incidents such as DDoS attacks, personal data breaches, and financial fraud have become potential disruptive risks to the EU’s digital single market.
The European Commission initiated the revision of RED in 2021, incorporating cybersecurity into core compliance requirements. This decision stems from two key understandings:
• Secure by Default: IoT devices need to have built-in protection mechanisms during the design phase, rather than post remediation.
• Hierarchical control: Develop 3.3 (d) (e) (f) clauses for different device risks (such as network connectivity, data processing, electronic payments) to accurately target various threats.
The EN 18031 series standards are technical specifications and implementation benchmarks for the network security requirements of the RED directive, divided into three parts (EN 18031-1/2/3), corresponding to the different security levels of RED clause 3.3 (network damage protection, privacy protection, and fraud prevention).
The above three categories of (d/e/f) all belong to the so-called “security assets” and are classified into the three categories of (network/privacy/financial flow assets) after evaluation.
Regulatory Implementation Timeline:
•On January 30, 2025, the European Commission officially included the EN 18031 series of standards in the list of coordinated standards for the Radio Equipment Directive (RED) in the Official Journal of the European Union (OJ), marking that this series of standards has become an important basis for network security compliance of radio equipment within the EU.
•Starting from August 1, 2025, Article 3.3 (d), (e), and (f) of the RED Directive’s cybersecurity provisions will be enforced!
Key points of regulatory updates:
New requirement added to Article 3.3 of the RED Directive:
•3.3 (d): For devices that can connect to the network on their own (such as mobile phones and smart appliances), it is required to prevent devices from endangering network operations (such as denial of service attacks) and prohibit the abuse of bandwidth resources.
•3.3 (e): For devices that process personal/location data (such as wearable devices, children’s toys), enforce end-to-end encryption, access control, and align with Article 4 of GDPR and the Electronic Communications Privacy Directive.
•3.3 (f): For devices that support electronic payments (such as mobile payment terminals and cryptocurrency hardware wallets), strengthen transaction verification mechanisms (such as multi factor authentication) to prevent fraud and virtual currency theft.
•Exemption scope: (EU) 2017/745 (medical devices), (EU) 2017/746 (in vitro diagnostic medical devices) Radio equipment covered by (EU) 2018/1139 (Civil Aviation Safety), (EU) 2019/2144 (Vehicle Type Approval), and Directive (EU) 2019/520 (Electronic Road Pricing Systems) are exempt from compliance with Article 3 (3) (e) and (f).
(EU) 2025/138 Key Safety and Compliance Requirements:
•Default password issue: If the device has a password setting function and allows users to not set or use passwords, the relevant standards will not be recognized as meeting the basic requirements of the instruction. This means that the device must force users to set passwords to ensure security.
•Access control for toys and child care equipment: Failure to ensure parental or guardian access control does not meet the basic requirements of the directive. This means that these devices must have mechanisms that parents or guardians can control.
•Security update of financial assets: The security update evaluation standards specify multiple implementation categories, and any single method alone is insufficient to handle the security of financial assets. This means that multiple security measures need to be considered comprehensively to ensure the safety of financial assets.
Note: Types of NB required: IoT devices without passwords, Bluetooth devices with login identity and password through the app, or Bluetooth network users&toys (children’s watches/recording dolls), baby monitors&payment devices, or those involving cryptocurrency.
BTF Testing Lab, our company has electromagnetic compatibility laboratories, safety regulations Laboratory, wireless radio frequency Laboratory, battery Laboratory, chemical Laboratory, SAR Laboratory, HAC Laboratory, etc. We have obtained qualifications and authorizations such as CMA, CNAS, CPSC, VCCI, etc. Our company has an experienced and professional technical engineering team, which can help enterprises solve the problem. If you have relevant testing and certification needs, you can directly contact our Testing staff to obtain detailed cost quotations and cycle information!
Post time: Mar-31-2025
