Cybersecurity Briefing — July 15, 2025
The one-month countdown to the EU radio-equipment cybersecurity mandate forces device makers and importers to lock testing, technical documentation, and declaration updates before 1 August 2025.
Executive briefing: Commission Delegated Regulation (EU) 2022/30—now amended by Commission Delegated Regulation (EU) 2023/2445—makes Articles 3(3)(d), 3(3)(e), and 3(3)(f) of the Radio Equipment Directive enforceable from August 1, 2025. Wireless device manufacturers, authorised representatives, and importers must show products protect networks from harm, safeguard personal data, and support fraud prevention. July is the final validation window to complete Annex VI technical documentation, update EU declarations of conformity, and confirm Notified Body assessments where harmonised standards are still pending.
Engineering checkpoints
- Security testing. Finalise penetration, fuzzing, and over-the-air robustness testing against ETSI EN 303 645, ETSI EN 301 489-1, and draft harmonised standards covering Article 3(3) controls.
- Secure configuration. Ensure default credentials are disabled, secure bootloaders are enforced, and update channels implement cryptographic integrity verification before mass production runs ship in July.
- Incident logging. Instrument telemetry and event logs that allow network operators to trace malicious use while respecting GDPR data minimisation.
Documentation and market access
- Technical files. Update Annex VI technical documentation with cybersecurity risk assessments, lifecycle maintenance plans, and evidence of secure development processes.
- EU declaration updates. Refresh declarations of conformity to cite Articles 3(3)(d)-(f) and referenced standards; prepare translations for each target member state market.
- Supply-chain attestations. Require contract manufacturers and module suppliers to provide compliance attestations covering firmware provenance, SBOM availability, and patch SLAs.
Market surveillance readiness
- Post-market monitoring. Stand up vulnerability intake channels, coordinated disclosure workflows, and PSIRT on-call processes aligned with Article 10 obligations.
- Importer obligations. Educate EU distributors on documentation retention, sample testing, and withdrawal procedures if national authorities flag non-compliance after August 1.
- Cross-regulation alignment. Map Radio Equipment Directive controls to upcoming EU Cyber Resilience Act, AI Act, and GDPR requirements to minimise duplicate assessments.
Sources
- Commission Delegated Regulation (EU) 2022/30
- Commission Delegated Regulation (EU) 2023/2445
- ETSI EN 303 645 V2.1.1
Zeph Tech guides radio-equipment manufacturers through July cutover tasks, aligning cybersecurity testing, documentation, and supplier attestations ahead of EU market surveillance on August 1, 2025.