In the European Union, the Radio Equipment Directive (RED) has long set the rules for wireless devices, ensuring that they meet safety, spectrum efficiency, and compatibility requirements. But in 2025, compliance is getting tougher: new cybersecurity standards adopted under RED, including EN 18031, will require IoT devices to have stronger protections against cyber threats, privacy risks, and fraud.

This guide breaks down RED, EN 18031, and what businesses need to know to stay compliant in the current regulatory landscape.

The Nabto Real Time Communication plaform for IoT

Ready to talk to our IoT experts to see what we can do?

Book a consultation today and get help with tech support, business inquiries, and other IoT queries. We are happy to help. Talk to you soon.

Understanding the EU’s RED

The Radio Equipment Directive (2014/53/EU) is the EU’s key regulation for wireless and radio-enabled devices. The “2014/53/EU” designation refers to the fact the EU adopted RED in 2014, with “53” indicating it was the 53rd directive issued that year, and “EU” signifying its applicability across all European Union member states. This directive has been legally required for all radio equipment sold in the EU since June 2016. In other words, if a product transmits or receives radio waves, whether it’s a smartphone, IoT device, Wi-Fi router, or Bluetooth headset, it must comply with RED before you can sell it in the EU.

The standard is designed to prevent interference, protect users by ensuring devices do not pose safety risks or compromise their personal data, and enhance security as more devices connect to the internet. The directive has evolved over time, with its latest updates introducing stricter cybersecurity requirements under Delegated Regulation (EU) 2022/30. These changes, set to take effect in August 2025, aim to reduce cyber risks, safeguard personal data, and prevent device tampering.

Scope of the Radio Equipment Directive: What devices does it cover?

RED applies to a wide range of products that transmit or receive radio waves for communication, specifically all that operate at a frequency range below 3000 gigahertz. This includes:

  • Consumer electronics like smartphones, tablets, laptops, smartwatches
  • IoT devices, including smart home gadgets like smart doorbells, connected wearables, and industrial sensors
  • Networking equipment like Wi-Fi router and modems
  • Radio-based communication in the form of walkie-talkies, CB radios, and two-way transceivers
  • Automotive navigation devices like GPS trackers, vehicle telematics, and radar systems

However, some products, like radio equipment for amateur radio operators, which is regulated separately for non-commercial and experimental use, or marine or aviation equipment, which is covered by its own set of regulations, are exempt from RED.

Ultimately, the directive is meant to ensure that every device using the EU’s radio spectrum is safe, secure, and doesn’t interfere with other systems.

Requirements under the RED

The RED establishes essential requirements to ensure that all wireless devices sold in the EU are safe and reliable. Let’s go over some of the requirements in more detail.

1. Preventing interference

To maintain a stable and interference-free radio environment, RED requires devices to use the radio spectrum efficiently. This means they must transmit and receive signals in a way that doesn’t disrupt other wireless systems like Wi-Fi networks, emergency communication systems, or mobile phone signals. The goal is to make sure that as more connected devices enter the market, they can operate without causing congestion or communication failures.

2. Electromagnetic Compatibility (EMC)

Electronic devices generate electromagnetic fields, and without proper regulation, they can disrupt nearby electronics. The Radio Equipment Directive mandates that products must meet Electromagnetic Compatibility (EMC) standards, ensuring they function correctly without interfering with other equipment. This is particularly crucial for environments with many connected devices, such as airports, hospitals, and industrial settings.

3. Health and safety

RED includes strict health and safety requirements to prevent harmful radiofrequency (RF) exposure to humans and animals. Wireless devices must comply with specific limits on electromagnetic emissions, ensuring that prolonged use of smartphones or wearables does not pose health risks. These regulations align with international safety standards and are regularly updated to reflect the latest scientific research.

4. Cybersecurity and fraud prevention

With cyber threats on the rise, RED’s latest update introduces mandatory cybersecurity and fraud prevention measures for wireless devices. Starting August 1, 2025, manufacturers must ensure that their products:

  • Protect user data and privacy through encryption and secure authentication
  • Prevent unauthorized access and cyberattacks, reducing such risks as botnet exploitation
  • Include safeguards against fraud, such as device spoofing or tampering

To support compliance, the European Commission has recently “harmonized” the EN 18031 standard – i.e. formally aligning it with RED requirements to provide a clear compliance pathway – officially recognizing the standard in the Official Journal of the EU (OJEU) on January 28, 2025. More on harmonization later.

EN 18031 provides a structured framework for securing radio equipment, ensuring that devices meet RED’s new cybersecurity standards without compromising performance or connectivity. This shift aligns RED with broader EU cybersecurity initiatives, including the Cyber Resilience Act (CRA), and reinforces the need for stronger security-by-design principles in IoT and connected devices.

Harmonized standards and Radio Equipment Directive compliance

Before I talk about the EN 18031 standard in more detail, I think it’s worth explaining how standards work in RED and what it means that EN 18031 has been “harmonized” under RED.

A harmonized standard in this case is an officially recognized technical guideline that provides a clear path to compliance with RED. These standards are developed by organizations like the European Telecommunications Standards Institute (ETSI), the European Committee for Standardization, also known as CEN, and European Committee for Electrotechnical Standardization, or CENELEC. The Official Journal of the European Union (OJEU) is the organization that publishes the standards after development.

The use of harmonized standards is voluntary, but it reduces red tape significantly. If a company builds a product using a harmonized standard, the EU automatically trusts that the product follows RED requirements without any extra testing. If a manufacturer chooses not to use the standard, they must provide alternative evidence (e.g., lab testing, technical assessments, or Notified Body certification) to prove their product meets RED’s rules.

Key harmonized standards under RED

The list of harmonized RED standards includes the following:

  1. EN 300 328: Covers Wi-Fi and Bluetooth devices, ensuring they use the 2.4 GHz band efficiently without interfering with other wireless systems.
  2. EN 301 893: Applies to 5 GHz Wi-Fi networks, regulating how these devices operate to prevent overlapping signals and connectivity issues.
  3. EN 303 645: Establishes baseline security requirements for IoT devices, focusing on password management, software updates, and data protection.
  4. EN 18031: The latest addition, harmonized on January 28, 2025, this standard reinforces cybersecurity measures for radio equipment. It ensures compliance with RED’s new cybersecurity mandates under Delegated Regulation (EU) 2022/30, helping manufacturers protect devices from cyber threats, fraud, and unauthorized access.

By following these harmonized standards, manufacturers can streamline the compliance process, avoid costly delays, and ensure their products meet the latest EU regulations.

What is EN 18031 in RED compliance?

Now let’s take a closer look at EN 18031 in particular. As of January 28, 2025, EN 18031 is an official harmonized standard under RED and was published in the Official Journal of the EU. With compliance becoming mandatory by August 1, 2025, manufacturers must now factor EN 18031 into their product development process to ensure their devices meet the latest cybersecurity regulations.

EN 18031 works to prevent:

  1. Unauthorized access: Ensuring devices have strong authentication mechanisms to block hackers.
  2. Data breaches and fraud: Protecting user information through encryption and secure communication protocols.
  3. Exploitation in botnet attacks: Reducing risks by requiring robust security measures against remote hijacking.

In all, EN 18031 helps ensure that wireless devices don’t become weak points in global cybersecurity.

Although EN 18031 is part of RED, it also serves as a reference standard for the Cyber Resilience Act, the EU’s broader cybersecurity regulation for all connected devices. The CRA introduces long-term security maintenance, vulnerability management, and incident reporting requirements, many of which align with EN 18031’s core principles. This means that manufacturers who comply with EN 18031 are also better positioned to meet future CRA obligations when selling IoT products in the EU.

The compliance process for RED

Now that we’ve looked at both RED and EN 18031, let’s talk about how companies can actually go about proving compliance. The first steps are to complete a Declaration of Conformity (DoC) and obtain a CE marking before selling their products in the EU. Let’s discuss what these are.

A Declaration of Conformity is a legally binding document stating that the product meets RED requirements. The DoC must include product details, like the type of device and serial number, and the manufacturer’s name and address. It will need to include a signed statement confirming compliance. Additionally, it will need to include either a reference to the harmonized standards or alternative compliance methods used.

If a manufacturer chooses not to follow harmonized standards, or if no suitable standards exist for their product, they must demonstrate compliance through extensive testing and technical documentation, as well as a third-party assessment by a Notified Body (an independent EU-accredited certification organization). Since this process is much more complicated, expensive, and time-consuming, manufacturers usually prefer to use harmonized standards.

Once all the paperwork goes through, manufacturers obtain a CE marking, which certifies that the product is RED-compliant. While the process may be complicated at times, it’s necessary because the CE marking tells buyers that they can trust the device and provides a level of standardization that improves quality throughout the IoT market.

Final thoughts

As cybersecurity threats continue to evolve, RED remains a key framework for keeping wireless technology safe, efficient, and secure. Businesses that adapt now will be better positioned for the future of IoT security and regulatory compliance. If you want to learn more about how RED is contributing to security and safety in our industry, book a consultation with Nabto.

Read Our Other Resources

We’ve also published a range of IoT device resources for our community, including:

Want to learn more about P2P IoT?

Please visit the:
P2P IoT Academy

Deep dive Into our documentation?

Please visit the:
Nabto Platform Overview

Try our demo for Video Surveillance?

Please visit the:
Nabto Edge
Video Cam Demo

Looking for other Great posts?

###

Understanding STUN Servers in WebRTC and IoT

When you’re building something like a video chat app, a smart doorbell, or an online [...]

21
May
Image depicting video streaming
What is Adaptive Bitrate Streaming?

Streaming video has become a major part of how we entertain ourselves, learn new skills, [...]

06
May
Image depicting a woman engaging in a video call via RTMP or WebRTC protocols.
RTMP vs. WebRTC: Which Streaming Protocol is Right for You?

Streaming audio and video over the internet has become essential for everything from live sports [...]

23
Apr