Regulation update background:

With the popularity of Internet of Things (IoT) devices in the EU market, from smart watches to baby monitors, billions of devices have become the core of daily life. However, the 2014 Radio Equipment Directive (RED) did not foresee this wave of growth, as the regulatory framework at that time did not cover cyber security protection. As a result, frequent incidents such as DDoS attacks, personal data breaches, and financial fraud have become potential disruptive risks to the EU's digital single market.

The European Commission launched the RED revision in 2021 to include cyber security as a core compliance requirement. This decision was driven by two key insights:

Secure by Default：IoT devices need to have built-in protection mechanisms during the design phase, rather than post remediation.

Hierarchical control：In response to different equipment risks (such as network connection, data processing, and electronic payment), 3.3(d)(e)(f) clauses are formulated separately to precisely target various threats.

The EN 18031 series of standards are the technical specifications and implementation benchmarks for the RED directive’s cyber security requirements. They are divided into three parts (EN 18031-1/2/3), corresponding to the different security levels of RED Article 3.3 (network damage protection, privacy protection, and anti-fraud).

The above three categories (d/e/f) all belong to the so-called "safe assets" and are divided into (network/privacy/financial flow assets) after general evaluation.

Regulation enforcement timeline:

On January 30, 2025, the European Commission officially included the EN 18031 series of standards in the list of coordinated standards for the Radio Equipment Directive (RED) in the Official Journal of the European Union (OJ), marking that this series of standards has become an important basis for network security compliance of radio equipment within the EU. From August 1, 2025, Article 3.3(d), (e) and (f) of the RED Directive on cyber security will come into force!

Key points of regulation update:

New requirement in Article 3.3 of the RED Directive:

• 3.3(d)：For devices that can connect to the network on their own (such as mobile phones and smart appliances), it is required to prevent devices from endangering network operations (such as denial of service attacks) and prohibit the abuse of bandwidth resources.

• 3.3(e)：For devices that process personal/location data (e.g. wearables, children’s toys), enforce end-to-end encryption, access controls, and align with Article 4 of the GDPR and the Electronic Communications Privacy Directive.

• 3.3(f)：For devices that support electronic payments (such as mobile payment terminals and crypto currency hardware wallets), strengthen transaction verification mechanisms (such as multi-factor authentication) to prevent fraud and theft of virtual currency.

• Exemption scope： (EU) 2017/745 (medical devices), (EU) 2017/746 (in vitro diagnostic medical devices), (EU) 2018/1139 (Civil aviation safety), (EU) 2019/2144 (Vehicle type recognition) and Directive (EU) Radio equipment covered by 2019/520 (Electronic Road Pricing System) is exempt from section 3(3)(e) and (f).

(EU) 2025/138 Key safety and compliance requirements:

• Default password issue: If the device has a password setting function, but allows the user not to set or use a password, the relevant standards are not recognized as meeting the basic requirements of the directive. This means that the device must force users to set a password to ensure security.

• Access Control for Toys and Child Care Equipment：If access control by parents or guardians is not ensured, the basic requirements of the directive are not met. This means that these devices must have mechanisms that allow parents or guardians to control them.

• Security updates for financial assets：The security update assessment criteria specifies multiple implementation categories, and no single approach alone is sufficient to address the security of financial assets. This means that multiple security measures need to be considered to ensure the safety of financial assets.

Remarks：

Type of NB required: IoT devices without passwords& The Bluetooth device has a login identity and password through the APP or Bluetooth networker & Toys (children's watches/recording dolls) & Baby monitor& Payment or crypto currency related.

BACL technical expert advice：

Manufacturers should ensure that their products comply with the EN 18031 standard and complete the conformity assessment before August 1, 2025. BACL is the NB organization of RED. We are familiar with the requirements of EN 18031 series standards and have rich practical experience. We also have long-term experience in ETSI EN 303 645. You are welcome to consult us.

EU official website link：

https://eur-lex.europa.eu/eli/dec_impl/2025/138/oj/eng

BACL Network Security Testing and Certification Capabilities：

General Standard（CC）

It is ISO/IEC 15408, which is an internationally recognized high-level standard for cybersecurity certification that aims to ensure the security performance of information systems, products and services reaches an internationally recognized level. BACL has more than 10 years of experience as an authorized agency for CC assessment.

IoT Cybersecurity（loT）

• ETSI/EN 303 645

• (RED) article 3/3 d/e/f cybersecurity qualification

• IECEE CB Issue certificate qualification

• PSTI The UK Cybersecurity Act qualification

• NIST The US cyber security assessment qualification

• ISO 27001/27701/GDPR

BACL Cybersecurity service advantages

• Consulting and evaluation for network information during the research and development phase

• Consultation and evaluation for the UK PSTI Act

• Consulting and evaluation of cybersecurity for CE RED order

• Consulting and Evaluation for California SB-327 in the US

• Consulting and evaluation for the US FCC voluntary cybersecurity certification

• Consulting and evaluation of cybersecurity in Brazil, Singapore and other countries around the world