Europe is heading for a connected device overhaul. For years, the Radio Equipment Directive (RED) set the rules for wireless devices, ensuring they meet safety, spectrum efficiency and compatibility requirements. However, compliance is getting stricter with new cybersecurity standards coming online in the coming months.
The latest update to the directive asks device makers to tighten up network protection, data security and fraud prevention or risk fines. This is in addition to the long-awaited and much-debated Cyber Resilience Act (CRA) which is even stricter and can block access to the EU market.
This one-two legislative punch promises a new era of connected device security in the bloc. Let’s look at what this requires of device makers, how it benefits device consumers and why it matters for the sector going forward.
Europe’s crackdown on weak IoT
Europe believes more devices demand better security safeguards in the Internet of Things (IoT). Connected endpoint numbers are booming following the pandemic and will likely reach more than 30B by the decade’s end. At the same time, with devices increasingly entering our most sacred personal and professional spaces, hacker crosshairs are more often focused on this sector, taking advantage of a history of low-security thresholds.
New regulations are willing this to change. The RED has been a legal requirement for all radio equipment sold in Europe since 2016. If a product transmits or receives radio waves – like smartphones, devices, routers or headsets — it must comply with the directive before going on sale in the bloc. And these rules are only getting stricter. The European Commission recently “harmonized” compliance of a new cybersecurity standard within the Radio Equipment Directive. Under EN 18031, developed by the European Telecommunications Standards Institute (ETSI), makers face new baselines related to data protection and security requirements.
This is on top of what’s happening with the CRA. This act — the most comprehensive suite of security and production guidelines ever passed in IoT — is in a three-year grace period before coming online in 2027. From then on, producers must support their products throughout their lifespan, follow cybersecurity minimums and outlaw generic credentials. Non-compliance promises hefty fines and even market barriers to entry.
New software and production baselines
Producers don’t have much time or room to be complacent. A few things are happening at once and they should seize the day by taking a closer look at what the new directive means, how the standard impacts their products and the dangers of inaction.
Compliance will become mandatory by August 1, 2025, so manufacturers must factor EN 18031 into their product development process. In all, the impetus of EN 18031 is to ensure that wireless devices don’t become security weak points by:
- Preventing unauthorized access: Under the standard and updated Radio Equipment Directive, devices require strong authentication mechanisms to block hackers.
- Protecting user information: Data breaches and fraud must be countered through encryption and secure communication protocols.
- Reducing the risk of botnet attacks: Device exploitation is widespread and producers must implement robust security measures to prevent remote hijacking.
Taken in tandem with the CRA, which pushes for stronger security-by-design principles, regulators are asking for significant changes and wielding a big stick to make it happen. Compliance will be crucial to avoid fines and retain access to one of the world’s largest consumer markets.
The time for compliance is now
Europe is drawing a line in the sand with these connected device rules. They see devices as essential and growing but also dangerously lax in make and function. This opens the door to bad actors who, concerningly, have grown in lock-step with endpoints since the pandemic. That’s until now with the updated RED and incoming CRA.
My advice for producers: Look at the winds of change and adjust accordingly. Regulators are taking this cybersecurity threat seriously and you should get up to code as quickly as possible. Remember that product redesigning takes investment and troubleshooting takes time. It’s in your interest to create devices that follow best practices in encryption, authenticationand communication.
There are benefits to looking at the specifics of standards like EN 18031 and following them to the letter. This is because — as noted above — it’s a “harmonized” standard and officially recognized as a technical guideline by Europe, creating a clear pathway to compliance with the updated RED.
It’s worth clarifying that using harmonized standards is voluntary but reduces red tape. If your company builds a product using a harmonized standard, the EU automatically trusts that the product follows Radio Equipment Directive requirements without extra testing. If you decide against using the standard, you must provide alternative evidence like lab testing, technical assessments, or other certifications to prove the product meets RED’s rules. So, consider streamlining your compliance process, avoiding costly delays and ensuring your products meet the latest regulations by looking at harmonized standards and deciding if they’re your best bet.
Whatever happens next, I’m looking forward to an industry of better products. These regulations have been a long time coming with device makers cutting costs and dropping safeguards in a race to the bottom. Consumers deserve better and it’s heartening that Europe is taking this threat seriously. Device makers, the ball’s in your court.
