Skip to main content

RED Cybersecurity Rules: What EU-Bound Connected Electronics Need Now

Since 1 August 2025, EU-bound connected devices must meet RED Article 3.3 cybersecurity rules. What EN 18031 testing involves and how it changes CE budgets.

Updated June 2026 6 min read

If your CE lab just added a line item for “RED Article 3.3 cybersecurity” to a quote for a smart plug, a camera, or anything else with Wi-Fi or Bluetooth, the charge is real. Since 1 August 2025, internet-connected radio equipment placed on the EU market has to meet cybersecurity requirements that did not exist as enforceable rules before, and labs now assess them alongside the rest of CE marking. Many Chinese factories have not caught up, which makes this something importers tend to discover at quoting time or, worse, when a buyer or market surveillance authority asks for the paperwork. This is general information, not legal advice, and importers should confirm their product’s obligations with an accredited lab or a regulatory consultant.

What Changed on 1 August 2025

The Radio Equipment Directive (2014/53/EU) has always contained three dormant essential requirements in Article 3(3): protection of the network in point (d), protection of personal data and privacy in point (e), and protection from fraud in point (f). Dormant means the directive allowed the European Commission to switch them on for specific categories of equipment whenever it chose. For years it did not.

That changed with Commission Delegated Regulation (EU) 2022/30, published in January 2022, which activated all three requirements for internet-connected radio equipment. The original application date of 1 August 2024 was pushed back a year by Delegated Regulation (EU) 2023/2444 because the supporting standards were not ready. Since 1 August 2025 the requirements apply in full. There is no new logo and no separate certificate. The cybersecurity requirements are simply part of RED conformity now, which means they sit inside the same Declaration of Conformity and technical file you already maintain for CE.

The practical effect: a RED test report issued before August 2025 does not cover these requirements. If your supplier hands you a CE file dated 2023 for a connected product, it is incomplete for current EU entry no matter how legitimate it was when written.

Which Devices Are in Scope

The trigger is internet connectivity. Radio equipment that can communicate over the internet, whether it connects directly or through any other device, falls under Article 3(3)(d). Your smart plug never talks to the internet on its own, it talks to a Wi-Fi router or a phone app that does. That still counts. The same logic pulls in cameras, video doorbells, smart bulbs, robot vacuums with app control, GPS trackers, and most of the smart home category coming out of Shenzhen.

The other two requirements attach to narrower groups. Article 3(3)(e), the privacy requirement, applies to internet-connected equipment that processes personal data, and also to childcare equipment such as baby monitors, toys covered by the EU Toy Safety Directive, and wearables. Article 3(3)(f), the fraud requirement, applies to equipment that handles transfers of money or virtual currency, payment terminals being the obvious case.

A few categories are carved out because they have their own regulatory regimes: medical devices, in vitro diagnostics, civil aviation equipment, motor vehicles, and electronic road toll systems. For a typical consumer electronics importer, the safe assumption is the opposite of an exemption. If the product has a radio and an app, it is in scope.

What Labs Assess Under EN 18031

The standards behind the new line on your quote are the EN 18031 series, published by CEN and CENELEC in 2024. EN 18031-1 maps to network protection, EN 18031-2 to personal data, and EN 18031-3 to fraud. The European Commission cited all three in the Official Journal on 28 January 2025 through Implementing Decision (EU) 2025/138, which gives products assessed against them a presumption of conformity, with restrictions covered below.

An EN 18031 assessment looks different from the radio and safety testing you may know. Less chamber time, more interrogation of the design. The lab works through mechanisms like access control, authentication, secure software updates, secure storage of credentials and data, secure communication, and resilience against denial of service, and for each one the factory has to show what the device does and justify why it is adequate. That means firmware-level answers: how updates are signed and delivered, what happens to default credentials at setup, what data leaves the device and where it goes.

This is where projects stall. The trading company that sold you the product usually cannot answer any of it, and the factory’s engineers may need weeks to produce documentation they have never been asked for before. When you brief testing labs in China, ask them to itemize which of the three standards apply to your product and what documentation they need from the factory on day one.

The Password Catch That Can Force a Notified Body

The Official Journal listing of EN 18031 came with restrictions, and one of them matters for almost every consumer device. The standards as written let a manufacturer offer the user the choice not to set a password. The Commission decided that option does not satisfy the essential requirements, so a product relying on those clauses cannot use the self-declaration route on the back of the harmonized standard alone. It needs an EU-type examination by a Notified Body instead, which adds cost and weeks to the schedule.

There are parallel restrictions on EN 18031-2 concerning parental access controls on toys and childcare equipment, and on EN 18031-3 concerning secure update methods for equipment handling financial assets.

For most products the cheaper fix is design, not certification. A device that forces the user to set credentials at setup, with no permanent factory default password, stays on the self-declaration path. But that is a firmware decision made at the factory before testing starts, so raise it during sampling, not after your lab fails the file. If your product falls under the restricted clauses anyway, budget for the Notified Body route and confirm the lab you use can run it or hand off to one that can.

Budget for It Before You Order

Treat RED cybersecurity the way this site treats every certification: a landed-cost item to price during product research, not a surprise to absorb later. Get the EN 18031 scope itemized in your lab quote, in writing, including whether 18031-2 or 18031-3 apply at all. For a plain smart plug with no personal data processing and no payment function, often only 18031-1 does, and paying for all three is paying for scope you do not need.

Then pressure-test the supplier. Ask for an EN 18031 assessment report referencing the actual firmware version you will ship, not a generic certificate. A factory that answers “CE no problem” without producing one is telling you the work has not been done, and under EU rules the party placing the product on the market carries the consequences, which for a private-label importer means you.

One more date for the calendar: the EU Cyber Resilience Act (Regulation (EU) 2024/2847) brings its own, broader cybersecurity obligations for connected products from 11 December 2027. Hardware you develop now will live under that regime too, so a supplier with a real update mechanism and real security documentation is worth more than one undercutting them by a dollar a unit. The RED rules are the first round of EU device cybersecurity, not the last.

Sources

Related Guides

CE Marking for Imported Electronics: What Importers Actually Need to Know Read Guide → Smart Plugs from China: Sourcing, Certifications, and What to Watch Out For Read Guide → Sourcing Smart Home Devices from China: Wholesale Guide Read Guide → Product Testing Labs in China: What Importers Need to Know Read Guide →