Cybersecurity Briefing — August 1, 2025
The EU Radio Equipment Directive’s deferred cybersecurity requirements take effect, forcing wireless and IoT device makers to harden authentication, network safeguards, and data protection to keep selling into the bloc.
Executive briefing: Articles 3(3)(d)–(f) of the EU Radio Equipment Directive (RED) become enforceable on August 1, 2025 following the Commission’s two-year deferral. Wireless and IoT devices that communicate over the internet must now demonstrate secure network access controls, resilient processing safeguards, and robust personal data protection before they can be placed on the EU market.
Key compliance checkpoints
- Access control assurance. Manufacturers must ensure radio equipment only activates network access for authenticated software, closing long-standing gaps exploited by credential stuffing and malware sideloading.
- Resilience verification. Devices need safeguards against network disruptions or malicious traffic that could degrade emergency communications or interfere with other services.
- Privacy-by-design evidence. Products handling personal data must include secure storage, transmission, and deletion mechanisms aligned with GDPR expectations.
Control alignment
- ETSI EN 303 645. Map RED requirements to the consumer IoT baseline to demonstrate vulnerability disclosure, secure boot, and software update processes.
- ISO/IEC 27001 Annex A 8.28 and 8.32. Bolster data-at-rest and secure coding controls that certification auditors will check against RED compliance documentation.
- GDPR DPIAs. Update data protection impact assessments for connected products to show encryption, minimisation, and consent management improvements tied to RED.
Implementation priorities
- Run firmware penetration tests focused on authentication bypass, unsigned update acceptance, and denial-of-service vectors cited in the delegated act.
- Build EU technical documentation packages that include threat models, secure lifecycle procedures, and conformity assessment reports ready for market surveillance authorities.
Enablement moves
- Launch supplier readiness reviews for Wi-Fi, Bluetooth, and cellular modules to confirm component vendors can furnish RED-aligned security attestations.
- Update customer security guides and labeling so distributors understand new default password, update policy, and vulnerability reporting expectations.
Sources
- Commission Delegated Regulation (EU) 2022/30 supplementing Directive 2014/53/EU (January 12, 2022)
- Commission Delegated Regulation (EU) 2023/1717 deferring application of Articles 3(3)(d)–(f) to August 1, 2025 (August 18, 2023)
Zeph Tech guides device makers through RED conformity assessments, coordinating secure development lifecycles, supplier attestations, and penetration testing needed for sustained EU market access.