European Union (EU) Compliance: How Ezurio is Helping Customers with RED-DA 2022/30 and Cyber Resilience Act Compliance

Update: As of January 28, 2025, EN  EN 18031-1, -2, and -3 have been officially harmonized in the OJ. 

It depends.

Yes if the equipment manufacturer cannot adhere to the restrictions (Annex I) to the implementation of the applicable harmonized standards EN18031-1:2024, EN18031-2:2024 or EN18031-3:2024, then a Notified Body is required to review conformity through a Type Examination Procedure to those standards to confirms compliance and issue a Type Examination Certificate to fulfill that item in an equipment Declaration of Conformity.

No if the equipment manufacturer adheres to the restrictions (Annex I) to the implementation of the applicable harmonized standards EN18031-1:2024, EN18031-2:2024 or EN18031-3:2024, then a Type Examination Procedure can be performed by the equipment manufacturer through a formal conformity self-assessment. The equipment manufacturer then declares and confirms compliance within the equipment Declaration of Conformity.

For legacy products that are CE marked, the applicability depends on when and how the products were placed on the EU market:

• Grandfathered Products: Any product that was already placed on the EU market (i.e., transferred to economic operators or sold after production) before the new requirements become applicable can continue to be used without the need for adaptation until the end of its lifecycle. This includes products in the hands of consumers or other economic operators.
• Products in Stock or Continuous Production: Products still in stock or in continuous production and placed on the market after August 1, 2025, must comply with the new RED Article 3.3 (d), (e), and (f) requirements. This applies to both new batches of legacy equipment and old batches sold after this date.
• Non-Compliant Legacy Products: If a legacy product cannot meet the new requirements (e.g., because it is not firmware upgradable or due to hardware limitations), manufacturers may involve a Notified Body to conduct a risk analysis. The analysis must demonstrate that the remaining risks are acceptable for the intended use case. Based on this assessment, a Notified Body may determine whether the product can still achieve conformity or require further action.

We have evaluated the EU’s Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) cybersecurity requirements outlined in Article 3.3 (d), (e), and (f) and are actively pursuing compliance for all applicable products. Applicable products are generally those that ship with application software and do not require configuration or integration to enable internet connectivity. We are fully committed to achieving compliance by the August 1, 2025 deadline.

While we will ensure compliance with RED Article 3.3 for our applicable products, it is important to note that for Radio Modules and SOMs, the end product must still undergo its own assessment to verify conformance. This is largely because the RED Cybersecurity requirements can only practically be achieved with a fully integrated end-product and application software.

Please note that we are not a Notified Body. It is recommended customers collaborate directly with a Notified Body or an accredited laboratory to evaluate compliance with EN 18031-X standards and determine the necessary compliance requirements for their end products.

To comply with the cybersecurity requirements outlined in Articles 3.3 (d), (e), and (f) of the Radio Equipment Directive (RED), manufacturers should focus on the following key areas:

• Network Protection (Article 3.3(d)):
  Ensure that radio equipment does not harm the network or its functioning, nor misuse network resources, thereby preventing unacceptable degradation of service.
• Data Protection and Privacy (Article 3.3(e)):
  Implement safeguards to protect personal data and user privacy during communication.
• Fraud Prevention (Article 3.3(f)):
  Incorporate measures to reduce the risk of fraud, particularly in devices handling monetary transactions.

The EN 18031 series of standards, comprising EN 18031-1, EN 18031-2, and EN 18031-3, provides a foundational framework for addressing these requirements:

• EN 18031-1: General cybersecurity requirements for internet connected Radio Equipment.
• EN 18031-2: Specific requirements related to internet connected Radio Equipment that is passing personal data, or Radio Equipment that is wearable or child’s toy.
• EN 18031-3: Requirements for internet connected Radio Equipment that is passing data of monetary value.

These standards provide detailed guidance on what needs to be implemented for RED Article 3.3 compliance.

For detailed instructions on aligning your products with EN 18031, manufacturers can refer to the standards directly or consult with a Notified Body to ensure all specific requirements are addressed. Relevant updates on harmonization and additional compliance resources can also be accessed through the European Commission's website:

Radio Equipment Directive - European Commission

By integrating EN 18031 into product development processes and working closely with conformity assessment bodies, manufacturers can meet RED cybersecurity requirements effectively.

As of the applicability date of RED Article 3.3 (d), (e), and (f) — effective August 1, 2025 — Ezurio products that ship with software and a default configuration enabling direct or indirect Internet connectivity are impacted and must comply with RED Cybersecurity requirements in a stand-alone basis. These articles cover:

• Article 3.3 (d): Safeguarding of network functions
• Article 3.3 (e): Protection of personal data and privacy
• Article 3.3 (f): Protection against fraud

Ezurio’s position, in alignment with expert guidance, is that radio modules, SOMs, and USB dongles which are subcomponents or development platforms and do not ship with integrated Internet-capable applications are not subject to RED Cyber in a standalone basis.

The following table captures RED Cybersecurity applicability across different product lines and products. It should be noted that Ezurio does not plan to take through a standalone assessment is in no way a statement that RED Cybersecurity does not apply when integrated into a Final Radio Product. It is up to the integrator to ensure full conformity with RED and any other applicable regulatory requirements for the end product. 

Under the Radio Equipment Directive (RED) 2014/53/EU, specifically Article 3.3 (d), (e), and (f), compliance obligations are placed on the end product, not necessarily on the internal components such as radio modules or system-on-modules (SOMs). However, the application of RED Cyber provisions to such components depends on how the product is shipped, marketed, and used.

Key Interpretation Points:

1. Radio Modules as Subcomponents — Not Final Radio Product:

• RED does not formally recognize "modular approvals" like the U.S. FCC does.
• Radio Modules and SOMs, when shipped in a form that requires product integration, do not qualify as Final Radio Products and therefore are not subject to standalone RED Cyber assessments.
• This interpretation aligns with the RED Compliance Association (RED CA) Technical Guidance Note for Radio Modules and current notified body practice.

2. Shipping Configuration Determines Applicability:

• Radio Modules/SOMs shipped “blank” (i.e., without operating systems or functional application firmware) are not in scope for RED Article 3.3 (d), (e), or (f) because they cannot:
  - Connect to the Internet directly or indirectly
  - Execute any network-facing behavior
  - Handle personal data, credentials, or software updates

3. Gray Areas Require Manufacturer Declaration:

• If a Radio Module includes firmware (e.g., AT command interface, HCI-only Bluetooth stack, or ROM bootloader), the decision of applicability hinges on:
  - Whether the firmware enables Internet connectivity or sensitive data processing out-of-the-box
  - Whether the manufacturer chooses to declare the component as an end product or a subcomponent
• Ezurio’s position is to declare these as sub-components and claim non-applicability.

4. SOMs Follow the Same Logic:

• System-on-Modules that require customers to load their own operating system and application are treated similarly:
  - They are development platforms or subsystems
  - For CE-marked SOMs, Ezurio lists RED Article 3.3 (d), (e), and (f) as "N/A" in the DoC (Declaration of Conformity)

5. Customer Responsibility for End Product Compliance:

• When Ezurio modules are integrated into a product they become a Final Radio Product, and it becomes the customer's responsibility to ensure RED Cyber compliance for the complete system.
• Ezurio is committed to supporting customers through this process.

Conclusion

Radio Modules and SOMs are not subject to RED Cybersecurity requirements when shipped as components requiring user configuration or integration. This includes:

• Modules with AT command interfaces, script runtimes, ROM bootloaders, or HCI-only stacks
• SOMs that ship blank or with a BSP (Board Support Package) but no application

These components are listed as “Not Applicable” in Ezurio’s RED DoC filings. The end product manufacturer is responsible for final compliance assessment and RED Article 3.3 (d), (e), and (f) conformity.

The applicability of RED Article 3.3 (d), (e), and (f) is determined by the capabilities and functions of the radio equipment. These criteria are used to evaluate whether these requirements apply:

• RED Article 3.3 (d): This applies to radio equipment capable of establishing an Internet connection via an IP-based connection. The connection can be direct, indirect, temporary, or permanent.
• RED Article 3.3 (e): This applies if the device processes personal, navigation, or location data. In such cases, data security and protection requirements come into effect. This applies if the radio equipment is capable of establishing an internet connection or if the device is childcare or wearable equipment.
• RED Article 3.3 (f):This applies if the device processes virtual monetary data, requiring the equipment to meet specific security and integrity criteria related to financial transactions.
• Other Considerations:
  - Component vs End-Product
  - Blank vs Preloaded Software
  - Development Platforms vs Deployable Devices

For more complex scenarios, a detailed risk assessment may be needed to justify any exemptions. It is recommended customers collaborate directly with a Notified Body or an accredited laboratory to evaluate compliance with EN 18031-X standards and determine the necessary compliance requirements for their end products.