- Services
- Industries
- Automotive
- Battery
- Building inspection
- Fire alarms system testing
- Household appliances
- Installation materials
- Industrial machinery
- IT & audio video
- Laboratory, test & measurement
- Lighting equipment
- Maritime, oil & gas
- Medical & healthcare equipment
- Military & aerospace product testing
- Wireless & telecom
- Resources
- About
- Blog
- Events
January 25, 2022
Last updated: February 2025
After years of discussions, the EU commission has decided to implement cyber security in the Radio Equipment Directive (RED) which covers the majority of IoT and wireless products. The final deadline for any further comments or delays ended in December, so as of 1 January 2022 the 30 months countdown started to August 2024 when cyber security will formally be a mandatory requirement for CE marking of radio equipment. This was extended by 12 months in July, 2023 to provide manufacturers with the necessary time to fully understand the implications of the new standards, effectively implement them, and prepare their compliance programs, which will also benefit the consumers. The new implementation date is 1 August 2025.
Note: The UK is introducing mandatory cybersecurity requirements 29 April 2024 - Read More about UK Cyber security CE marking requirements.
The background of the new requirements
The cyber security requirements have always been a part of the RED, however, due to uncertainties on how to demonstrate compliance, this part of the text was not implemented – until now.
The relevant requirements are found in the RED in Article 3(3) d), e) and f) and in simple terms these are:
(e) protection of personal data and privacy
(f) protection from fraud
The standard specified for these requirements is the EN 18031 series. This was made by CENELEC on the request from the EU commission and was finally harmonized in January 2025. The standard is, however, published with some restrictions limiting the manufacturer's possibility to self-declare their products without the involvement of a Notified Body.
Learn more: On-demand webinar: Cyber security in CE marking
Which products are part of the scope?
The scope of the RED, as well as the cyber security article, is wide so most connected products, we use in our daily life are included in the new requirements.
If we use the references described above the corresponding scopes are:
(d) Any radio equipment communicating over the internet, directly or indirectly.
(e) All radio equipment processing personal data or traffic data and location data e.g.
If we use the references described above the corresponding scopes are:
(d) Any radio equipment communicating over the internet, directly or indirectly.
(e) All radio equipment processing personal data or traffic data and location data e.g.
- Internet-connected radio equipment
- Radio equipment for childcare*
- Radio equipment within Toys directive*
- Wearable radio equipment
*All equipment with radio for children is included – including those not connected to the internet.
Specifically excluded are equipment covered by Medical Device or In-Vitro Regulation, Aviation, Vehicles, and Road Toll systems.How to get started
Time is of the essence, but from our experience, many manufacturers delay the start of implementing and complying with cyber security standards – mainly for two reasons:
- Limited knowledge of cyber security regulations; Manufacturers, whose traditional products were not connected, often have limited experience with cyber security
- Limited knowledge of formal standards; Manufacturers who have wide experience making connected products but may not be experienced with cyber security standards, which often include requirements that are outside of what is traditionally thought of as cyber security.
Both groups should start by having an introduction to the standard, focusing on the technical or formal part depending on the manufacturer’s experience.
Another option is performing a gap analysis of the product to the standard. This leaves the manufacturer with a specific and valuable list of necessary improvements to implement within their next product.
Reach out to Nemko to learn more about how we can help you with the services listed above, as well as to further assist in increasing security through for example, vulnerability and penetration testing.
Another option is performing a gap analysis of the product to the standard. This leaves the manufacturer with a specific and valuable list of necessary improvements to implement within their next product.
Reach out to Nemko to learn more about how we can help you with the services listed above, as well as to further assist in increasing security through for example, vulnerability and penetration testing.
