Radio Equipment Directive: New Cybersecurity Requirements for IoT

Stricter cybersecurity rules for IoT devices

As of August 1, 2025, the new security requirements under the Radio Equipment Directive (RED) and the Cyber Resilience Act will come into effect. These regulations aim to significantly enhance the protection of IoT devices but the new security requirements will present challenges for manufacturers, particularly smaller ones. While compliance efforts may increase, consumers stand to benefit from higher security standards and improved protection.

How will the new cybersecurity requirements impact IoT devices?

IoT products are now a pervasive part of daily life, with access to and influence on the lives of practically every human being. The potential for harm is substantial, making regulatory intervention both necessary and justified. The EU’s measures, including the RED and the more extensive Cyber Resilience Act, are positive steps towards strengthening security standards across the board.

However, implementing these security measures entails additional efforts for manufacturers, particularly those who have not yet dealt with this topic in depth. This could result in higher product prices, particularly in the budget segment. Nevertheless, the operational complexity for users is unlikely to increase significantly. Security mechanisms for network and radio security typically function in the background without requiring user intervention. Devices designed with security by default should already meet compliance requirements, eliminating the need for further user configuration.

How will the new rules affect market access for smaller and international manufacturers?

A key objective of the EU’s cybersecurity strategy is to ensure that only secure digital products enter the European market, regardless of their country of origin. This will ideally lead to a future where only compliant products are available within the EU. Market surveillance authorities will oversee compliance, enforcing stringent penalties or sales bans for non-compliance.

Smaller manufacturers may struggle with the financial and administrative burden of meeting these new security standards. However, special exemptions and financial assistance are often available to alleviate these challenges.

What must manufacturers do to comply with the new requirements?

Manufacturers of affected IoT products – specifically those with Internet connectivity and radio interfaces – must adhere to delegated regulation 2022/30/ and its associated harmonized standards (EN 18031-1/-2/-3). These standards provide scalable self-assessment procedures, allowing manufacturers to evaluate their products' cybersecurity compliance independently. Unlike some other regulatory frameworks, certification by a notified testing body is not mandatory.

From August 1, 2025, compliance with these requirements will be obligatory, with the CE marking serving as proof of conformity. Manufacturers must determine the relevant standards for their products early on and ensure they meet all necessary criteria. While self-assessment is possible, companies with limited cybersecurity expertise may benefit from consulting independent testing authorities.

How will consumers benefit from these new security standards?

Consumers often face difficulties when selecting secure IoT products, as security features are not always transparent. With the introduction of uniform minimum security standards and visible labeling, consumers will gain valuable guidance when making purchasing decisions.

Overall, digital security will improve significantly. Vulnerabilities will be reduced, and potential attack vectors minimized. Ideally, consumers will not even notice these security measures – because when security functions effectively, it remains invisible. It is only in cases of failure that its absence becomes glaringly apparent.

Will mandatory CE marking hinder innovation or increase costs?

There is some validity to concerns that mandatory CE marking could slow innovation due to increased bureaucracy, higher development costs, and extended time-to-market. Small businesses and startups, in particular, may find it difficult to manage the extensive conformity assessment procedures efficiently. Additionally, the cost of compliance testing and product modifications could lead to higher retail prices for consumers.

However, CE marking also brings clear advantages. It ensures consistent security standards, protects consumers, and enhances overall product quality. In the long run, these measures help prevent costly security incidents that could otherwise cause substantial financial and reputational damage.

How will compliance be monitored, and what role will the BSI play?

In Germany, the Federal Network Agency (BNetzA) is responsible for market surveillance under the RED. It will conduct random inspections and investigate suspected violations to ensure compliance with cybersecurity requirements.

For broader regulations such as the Cyber Resilience Act, the supervisory authority has not yet been definitively determined. However, the German Federal Office for Information Security (BSI) has expressed interest in taking on this responsibility, making it a likely candidate.

Manufacturers that fail to comply with the new regulations face strict penalties and potential sales bans. To avoid these risks, affected companies should begin preparations well in advance and implement the necessary security measures diligently.

Eric Clausing has been part of the AV-TEST team since 2015 and is responsible for the conception, implementation and further development of all security and privacy tests and certifications in the area of the Internet of Things.