London, 5 February 2025 – Manufacturers of internet-connected devices such as smart speakers and gaming consoles are being encouraged to act now to meet impending market access requirements around cybersecurity, or risk losing access to the EU market.
Designed to enhance the cybersecurity of certain products, the European Commission has adopted a Delegated Act (Regulation (EU) 2022/30) which updates the EU Radio Equipment Directive (RED). This Act introduces requirements to ensure network protection by preventing radio equipment from interfering with network performance or misusing resources. It also brings in safeguards to protect users' personal data and privacy, and includes features to guard against fraud.
From 1 August 2025 these enhanced cybersecurity requirements will become mandatory for all companies selling into Europe. Although they will not apply to those selling into markets including the UK, US or China, in reality, this means most global businesses will need to meet the requirements.
Compliance with the new cybersecurity requirements can be addressed by the EN 18031 series of standards, published last year and recently being harmonized by the European Commission with certain restrictions . These standards focus on network protection, data security, and fraud prevention. BSI has expanded its UK testing capabilities to enable conformity testing against these standards and is primed to help companies retain access to one of the world’s largest markets. With state-of-the-art laboratories and a global reach, BSI’s enhanced set up is designed to enable manufacturers to efficiently achieve RED compliance.
The RED ensures the safety, performance, and interoperability of wireless devices in the EU. The introduction of the new requirements and the EN 18031 standards marks a shift towards prioritising cybersecurity, addressing three critical areas. Devices must be designed to avoid disrupting networks or misusing resources, while ensuring personal data and user privacy are properly safeguarded. Additionally, effective mechanisms should be in place to prevent unauthorised transactions and protect against fraud.
The new requirements apply to a broad range of product categories, including consumer electronics (smartphones, tablets, and wearables), IoT and smart devices (connected home systems and industrial equipment), payment and financial devices (wireless payment systems), digital and connected fire equipment (IoT-enabled alarms and lighting), entertainment and educational products (gaming consoles and e-readers), transportation and safety devices (vehicle telematics and keyless entry systems), and communication and networking devices (Wi-Fi routers and Bluetooth hubs). They also apply to certain, non-internet connected radio equipment such as wearables, toys and childcare products, if they process personal information including voice and face information.
Carlos Pérez Ruiz, Global Head of Digital Trust, Product Certification at BSI, said: “Manufacturers of internet-connected devices will recognize the growing importance of cybersecurity in our current digital and interconnected era. As the Radio Equipment Directive (RED) Delegated Act deadline approaches, meeting these new EU cybersecurity requirements is critical. Compliance will not only retain market access but also ensure devices are not left vulnerable to security breaches that could impact both consumers and manufacturers.
By aligning with the new EN 18031 standards, manufacturers can ensure their products are safe, secure, and trusted across Europe. BSI is committed to supporting companies with our expanded testing capabilities to help them navigate these complex regulations, maintain access to one of the largest global markets, and ultimately give people the confidence to use devices that are increasingly a mainstay of daily life.”
You can find further information and download BSI’s RED guide and readiness checklist, here.
