EU Enforces Radio Equipment Directive (RED) Articles 3.3(d), (e) and (f) for Cybersecurity

SG 115/25

The Radio Equipment Directive (RED) Articles 3.3(d), 3.3(e) and 3.3(f) have been activated and will come into force August 1, 2025. 

Which devices are covered by RED requirements?

Articles 3.3(d), 3.3(e) and 3.3(f) applies to internet-connected equipment, personal data and financial information, respectively: 

• Article 3.3(d): radio equipment that can communicate over the internet, either directly or via any other equipment.
• Article 3.3(e): equipment capable of processing personal, traffic or location data, excluding radio equipment designed or intended exclusively for childcare, equipment covered under the Toys Directive (2009/48/EC) and radio equipment designed or intended to be worn on, strapped to or hung from the body or clothing
• Article 3.3(f): internet connected radio equipment that enables the holder or user to transfer money, monetary value or virtual currency

Medical devices under Regulations (EU) 2017/745 and (EU) 2017/746 are exempt from Articles 3.3(d), 3.3(e) and 3.3(f). Civil aviation equipment under Regulation (EU) 2018/1139, motor vehicles under Regulation (EU) 2019/2144 and road toll systems under Directive (EU) 2019/520 are exempt from article 3.3(e) and 3.3(f), however, Article 3.3(d) still applies to them.

The CENELEC standards EN18031-1, EN18031-2 and EN18031-3 have been published in the Official Journal of the European Union; however, they were published with restrictions. In accordance with RED Article 17, a Notified Body is required if a manufacturer does not apply harmonized standards or has not fully applied them (i.e. applied only part of a harmonized standard). Even though the CENELEC standards were published with restrictions, these restrictions may not apply to all products; therefore, it is still possible to self-declare using these standards. Manufacturers must perform due diligence in evaluating their product, applying appropriate standards and using a Notified Body as needed to ensure compliance with all appropriate directives before placing a product on the market.

How we support you

Leveraging our experience and expertise in cybersecurity evaluations of various products and solutions, we have developed a comprehensive, step-by-step approach to guide you through each stage of the evaluation and certification process. Our scope encompasses the full range of training, pre-assessment and evaluation services, enabling you to fast-track time to market. Through our global network, we can assess all products against a wide variety of internationally recognized standards. As a Notified Body, we can issue EU-type certification for products destined for European markets, to show compliance with RED 3.3 (d), (e) and (f).

• Training/workshops – designed to help manufacturers and developers gain a deeper understanding of the specific security requirements relevant to their products
• Product design review – we support you in the initial phases of product development with a thorough product design review and vulnerability scan
• Product testing – we perform pre-market assessments using the latest EN 18031 standards
• SGS Cybersecurity Mark – awarded upon successful completion of the evaluation to demonstrate your product's adherence to high security standards
• EU Type Certificate – issued by SGS Notified Body in accordance with RED Articles 3(3) (d), (e) and (f) using the latest EN 18031 standards

Read more about RED here.

Our holistic total solution services for electrical & electronic products, delivered through our global network of accredited testing laboratories, ensure manufacturers and retailers have access to expert support at every stage of the product life cycle, from design, production and regulatory compliance to the import and export of goods. Contact us for more information or visit our website. In the end, it’s only trusted because it’s tested.