European Union (EU) Compliance: How Ezurio is Helping Customers with RED-DA 2022/30 and Cyber Resilience Act Compliance

The clock is already ticking for manufacturers of all digital devices and software products to meet the EU's new security requirements. The Radio Equipment Directive (RED) Delegated Act 2022/30 and Cyber Resilience Act (CRA) affect many, many products, even those without direct internet access, and there are released standards for compliance while others are still being developed. Manufacturers must be compliant to the new RED Cybersecurity rules by August of 2025, to the incident reporting rules of the CRA by September of 2026, and to the full requirements of CRA by December of 2027

Follow along with Ezurio to stay ahead of shifting developments and keep your devices compliant before rapidly approaching deadlines. We are fully committed to achieving compliance by these deadlines -- and to helping our customers achieve the same.

secure-lock-red.png

What are the RED and the CRA?

The RED (Directive 2014/53/EU) is an EU legislative framework that sets essential requirements for selling and operating radio equipment within the European Economic Area (EEA) to ensure its safety, compatibility, and efficient use of the radio spectrum. 

The CRA is a EU regulation that aims to improve the cybersecurity of products and services that contain digital elements. 

Changes to the RED in RED-DA 2022/30 and the adoption of the CRA will require OEMs to demonstrate compliance to new key security considerations and requirements in order to be sold and used in the European Union. These changes are summarized below.

Radio Equipment Directive (RED)

The RED has served since 2014 as the EU's regulatory framework for establishing compliance standards for all wireless equipment in the EU. Recent updates to the RED (RED-DA 2022/30) have established three new critical Cybersecurity requirements:

  • Network Protection (Article 3.3(d))
  • Data Protection and Privacy (Article 3.3(e))
  • Fraud Prevention (Article 3.3(f))

Who Is Affected: Any OEM product with the CE mark that meets one of the following criteria: features IP-based connection, is wearable, childcare-related, a toy, or processes virtual monetary data. 

Timeline: Requirements take effect August 1, 2025

Cyber Resilience Act (CRA)

The CRA was formally adopted in October of 2024 and officially entered into force 22 days later in November of 2024. OEMs have 36 months after entry into force to comply with the CRA requirements with some provisions to apply at an earlier stage.

The CRA is EU regulation that is designed to address Cybersecurity risks to consumers and businesses. It requires manufacturers and providers to more aggressively oversee safety and security throughout the product lifecycle to help mitigate cybercrime incidents worldwide. 

  • Creates a regulatory framework for mandatory incident reporting
  • Requires that software which can be "reasonably expected" to support regular updates must roll out security updates by default (users may opt out)

Who is Affected: Providers of products with digital elements, including those not covered by RED such as wired equipment or software. 

Timeline: Incident-reporting mechanisms required by September 11, 2026. Remaining cybersecurity requirements enforceable by December 11, 2027.

Our Statement on RED and CRA Updates

We have evaluated the EU’s Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) cybersecurity requirements outlined in Article 3.3 (d), (e), and (f) and are actively pursuing compliance for all Radio Modules, USB Dongles, System on Modules (SOMs), and IoT Devices. We are fully committed to achieving compliance by the August 1, 2025 deadline.

While we will ensure compliance with RED Article 3.3 for our products, it is important to note that for Radio Modules and SOMs, the end product must still undergo its own assessment to verify conformance. Please be aware that we are not a Notified Body, and customers will need to work directly with a Notified Body to assess their end products' compliance.

A Timeline of Developments in RED and CRA

RED and CRA - Timeline-013.png

FAQ

What are the specific requirements of RED Cyber or where would I go to find out what I need to do to conform?

To comply with the cybersecurity requirements outlined in Articles 3.3 (d), (e), and (f) of the Radio Equipment Directive (RED), manufacturers should focus on the following key areas:

  • Network Protection (Article 3.3(d)):
    Ensure that radio equipment does not harm the network or its functioning, nor misuse network resources, thereby preventing unacceptable degradation of service.
  • Data Protection and Privacy (Article 3.3(e)):
    Implement safeguards to protect personal data and user privacy during communication.
  • Fraud Prevention (Article 3.3(f)):
    Incorporate measures to reduce the risk of fraud, particularly in devices handling monetary transactions.

The EN 18031 series of standards, comprising EN 18031-1, EN 18031-2, and EN 18031-3, provides a foundational framework for addressing these requirements:

  • EN 18031-1: General cybersecurity requirements for internet connected Radio Equipment.
  • EN 18031-2: Specific requirements related to internet connected Radio Equipment that is passing personal data, or Radio Equipment that is wearable or child’s toy.
  • EN 18031-3: Requirements for internet connected Radio Equipment that is passing data of monetary value.

While EN 18031 serves as an important basis for achieving compliance, it is not yet harmonized under RED, meaning manufacturers will need to work with Notified Bodies for conformity assessments. These standards provide detailed guidance on what needs to be implemented for RED Article 3.3 compliance.

For detailed instructions on aligning your products with EN 18031, manufacturers can refer to the standards directly or consult with a Notified Body to ensure all specific requirements are addressed. Relevant updates on harmonization and additional compliance resources can also be accessed through the European Commission's website:

Radio Equipment Directive - European Commission

By integrating EN 18031 into product development processes and working closely with conformity assessment bodies, manufacturers can meet RED cybersecurity requirements effectively.

What Ezurio products are impacted by RED Cyber?

Since RED Cyber is part of the EU’s Radio Equipment Directive, this impacts all of Ezurio’s Radio Modules, System-on-Modules (SOMs), and IoT Devices that are CE marked.

How does RED Cyber apply to radio modules or system-on-modules (SOMs) that would be a component within an end product and not the end product itself?

RED Article 3.3 (d), (e), and (f) applies to any product placed on the EU market with the CE mark. Radio modules and SOMs are not exempt from meeting the RED security requirements. Even though these are components, choosing to CE mark them requires demonstrating compliance with all applicable requirements.

While the EU does not recognize modular approvals, meaning a radio module or system-on-module (SOM) with a CE mark will still need to undergo a conformance assessment once integrated into the end product, we take the approach of CE marking our radio modules and SOMs to minimize the risk for our customers when integrating them into their products. While this helps streamline the compliance process, it does not eliminate the need for the final product to undergo its own conformity assessment. 

What are the criteria for evaluating the applicability of any particular product for RED Cyber?

  • The applicability of RED Article 3.3 (d), (e), and (f) is determined by the capabilities and functions of the radio equipment. The decision tree below along with these criteria are used to evaluate whether these requirements apply:
  • RED Article 3.3 (d):
    This applies to radio equipment capable of establishing an Internet connection via an IP-based connection. The connection can be direct, indirect, temporary, or permanent.
  • RED Article 3.3 (e):
    This applies if the device processes personal, navigation, or location data. In such cases, data security and protection requirements come into effect. This applies if the radio equipment is capable of establishing an internet connection or if the device is childcare or wearable equipment.
  • RED Article 3.3 (f):
    This applies if the device processes virtual monetary data, requiring the equipment to meet specific security and integrity criteria related to financial transactions.

Would it be possible to make a case that components such as Radio Modules and SOMs are exempt from RED Cyber since they are 1) not end-products and 2) would have to go through end-product testing again anyway?

The short answer is no, it is not possible to categorically exempt radio modules or system-on-modules (SOMs) from the requirements of RED Article 3.3 (d), (e), or (f) solely because they are components and not end products.  

The applicability of RED Cyber provisions depends on the technical capabilities of the product, such as whether it can establish an IP-based Internet connection or process private, navigation, or financial data. 

What does this mean for legacy products that are CE marked that cannot meet RED Cyber requirements?

For legacy products that are CE marked, the applicability depends on when and how the products were placed on the EU market:

  1. Grandfathered Products: Any product that was already placed on the EU market (i.e., transferred to economic operators or sold after production) before the new requirements become applicable can continue to be used without the need for adaptation until the end of its lifecycle. This includes products in the hands of consumers or other economic operators.
  2. Products in Stock or Continuous Production: Products still in stock or in continuous production and placed on the market after August 1, 2025, must comply with the new RED Article 3.3 (d), (e), and (f) requirements. This applies to both new batches of legacy equipment and old batches sold after this date.
  3. Non-Compliant Legacy Products: If a legacy product cannot meet the new requirements (e.g., because it is not firmware upgradable or due to hardware limitations), manufacturers may involve a Notified Body to conduct a risk analysis. The analysis must demonstrate that the remaining risks are acceptable for the intended use case. Based on this assessment, a Notified Body may determine whether the product can still achieve conformity or require further action.

What is Ezurio's statement on the CRA and RED requirements?

We have evaluated the EU’s Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) cybersecurity requirements outlined in Article 3.3 (d), (e), and (f) and are actively pursuing compliance for all Radio Modules, USB Dongles, System on Modules (SOMs), and IoT Devices. We are fully committed to achieving compliance by the August 1, 2025 deadline.

While we will ensure compliance with RED Article 3.3 for our products, it is important to note that for Radio Modules and SOMs, the end product must still undergo its own assessment to verify conformance. Please be aware that we are not a Notified Body, and customers will need to work directly with a Notified Body to assess their end products' compliance.

When will EN 18031-1, -2, and -3 be accepted in the OJ and why is it not harmonized yet?

Update: As of January 28, 2025, EN  EN 18031-1, -2, and -3 have been officially harmonized in the OJ. 

Click here to learn more.

Will a Notified Body be required to review conformity to RED Cyber?

It depends.

Yes if the equipment manufacturer cannot adhere to the restrictions (Annex I) to the implementation of the applicable harmonized standards EN18031-1:2024, EN18031-2:2024 or EN18031-3:2024, then a Notified Body is required to review conformity through a Type Examination Procedure to those standards to confirms compliance and issue a Type Examination Certificate to fulfill that item in an equipment Declaration of Conformity.

No if the equipment manufacturer adheres to the restrictions (Annex I) to the implementation of the applicable harmonized standards EN18031-1:2024, EN18031-2:2024 or EN18031-3:2024, then a Type Examination Procedure can be performed by the equipment manufacturer through a formal conformity self-assessment. The equipment manufacturer then declares and confirms compliance within the equipment Declaration of Conformity.

Compliance is a moving target. This is how we can help.

Full EMC Test Lab
with Decades of Expertise

Our EMC compliance testing lab has experience bringing our designs and our customers' products fully through the test certification process. We bring expertise to your project through a deep understanding of the various certification standards required for market entry across the globe. We've navigated complex regulatory changes before, and we're at the ready to do it again.

Learn More

In-House Embedded Software
Engineering and Support

Our wordwide support organization works directly with our software and hardware engineering teams to identify key requirements and changes, streamlining them into our development process and passing on that continuous improvement to our customers. Ezurio's customers leverage our knowledge and expertise via regular updates and value-added software offerings. 

Learn More

We're Connectivity Experts
Who Partner With The Best

Across all levels of the embedded wireless design business, we have developed deep partnerships that help us stay ahead of industry developments and provide cutting edge hardware and software. Our partnerships include silicon vendors, software providers, tech partners and distributors who operate in many end industries and are creating the connected world of tomorrow. 

Learn More

Resource Center