The Radio Equipment Directive (RED) is a regulatory framework established by the European Government for launching radio equipment in the European market. RED is a crucial step towards setting safety, compatibility, and radio spectrum standards of radio equipment in the EU. It covers all devices and products under the sun that either directly or indirectly emit or receive radio waves for communicating information. This blog discusses what does it mean to comply with RED and how it can make or break your market penetration in the EU. RED was initially introduced to ensure that devices using the radio spectrum do not interfere with each other, but its scope has expanded significantly over time. With rising concerns about data privacy, network abuse, and software vulnerabilities, the directive has evolved to address cybersecurity as a core requirement. The delegated regulation EU 2022/30, which amends RED, explicitly mandates that radio-enabled products placed on the EU market must incorporate safeguards against misuse, unauthorized access, and software manipulation—bringing software security to the center of hardware compliance.
Which Devices are Covered under RED?
RED covers a range of products including:
- Mobile Phones
- Broadcasting Devices
- Routers
- WiFi/Bluetooth/GPR-enabled Devices
- Smartwatches
- Fitness bands/watches/rings
- Laptops
From wearables and IoT gateways to medical sensors and connected vehicles, any product with radio capabilities must now demonstrate robust cybersecurity measures, not just during design and production, but also across its lifecycle. It’s important to note that the classification under RED is based on functionality, not form factor. So, if your device connects via Wi-Fi, Bluetooth, LTE, 5G, RFID, or even NFC, it most likely falls under RED, regardless of whether it's a consumer gadget, industrial IoT unit, or embedded component in a larger system. This classification also means that previously exempt or borderline devices must now undergo risk-based assessments for secure design and operation, even if they are part of another certified system.
Are there products/devices that do not fall under RED?
Absolutely! Certain devices and products are not covered by RED including:
- Marine Equipment
- Aviation Equipment
- Custom-built Evalution Kits
These exclusions are typically governed by domain-specific regulatory frameworks. For instance, marine equipment is regulated under the Marine Equipment Directive (MED), and aviation systems fall under EASA (European Union Aviation Safety Agency) regulations. Evaluation kits and prototypes, provided they are not sold commercially, are often exempt but may still require internal security assessments depending on deployment context. If you're unsure whether your product qualifies for exclusion, it's best to conduct a formal RED applicability analysis or consult with a notified body.
What Happens if a Manufacturer or OEM does not Comply with RED?
- Embed our IDPS into IVI, TCU, gateway, ADAS, and powertrain ECUs.
- Adapt and validate integration with AUTOSAR Classic/Adaptive, QNX, Linux, and Android Automotive.
Since RED was introduced primarily to protect personal data, interoperability, access to high-end energy services, radio software and hardware, non-compliance may land manufacturers in trouble. Non-compliance with RED cybersecurity mandates can be costly:
- Products may be withdrawn from the EU market
- Customs authorities can block imports that fail cybersecurity checks
- Manufacturers risk product recalls and reputational damage
RED (2014/53/EU) and its delegated regulation (EU 2022/30) now require:
- Protection from network misuse and data breaches
- Secure-by-design measures including encryption, updates, access control
- Risk assessment and conformance for all radio-enabled products sold in the EU
The regulation not only impacts initial certification but has ongoing lifecycle implications, manufacturers are expected to ensure that software updates (especially over-the-air), firmware changes, and even diagnostic sessions comply with cybersecurity expectations. Non-compliance can also disrupt supply chain partners who depend on RED-marked products as inputs for larger systems. In essence, RED non-compliance can create a ripple effect, jeopardizing commercial relationships, regulatory trust, and market access.
How Sasken Helps: A 4-Phase, End-to-End Certification Framework
Sasken’s RED Cybersecurity Assessment Process is engineered to support both self-assessment and third-party certification with a notified body. Our phased model ensures clarity, control, and compliance at every step:
Pre-Assessment Preparation
- Stakeholder alignment and milestone planning
- Understanding intended equipment functionality
- Documentation readiness and checklist planning
Conceptual Assessment
- Gap analysis using decision trees and RED 18031 applicability
- Template-based asset and mechanism evaluation
- 14+ security mechanisms covered including Access Control, Secure Updates, Logging, Cryptography, etc.
Functional Assessment
- Hands-on cybersecurity testing
- Evidence mapping and documentation validation
- Identification of implementation gaps and feedback loop for fixes
Functional Sufficiency Assessment
- Final stage includes penetration testing, fuzzing, and vulnerability scanning
- Objective: Demonstrate the device is secure and RED-ready
RED EN 18031 Certification – Sasken’s Role
RED EN 18031 is the harmonized standard guiding cybersecurity for radio equipment. Sasken enables certification through:
- 1. EN 18031 Applicability Checks
- 2. Template Alignment with Accredited Certification Labs
- 3. Evidence Submission for Notified Body Review or Self-Assessment
We support gap remediation and resubmission, ensuring you’re never stuck midway through the process.
Why Choose Sasken?
Blended Engineering + Security Expertise
Decades of product engineering expertise combined with deep knowledge of embedded security, especially automotive, consumer electronics, and industrial devices.
Regulatory Fluency
We stay aligned with evolving standards like EN 18031, CE Marking, and RED directives, so you don’t have to decode legal text.
End-to-End
Support From scope identification and technical documentation to test planning and remediation, our team handles the full compliance cycle.
What Should You Do Next?
Whether you’re preparing a new device or updating a deployed product, RED compliance must be part of your product roadmap:
- Map cybersecurity gaps based on RED categories
- Implement secure-by-design architecture
- Align updates, cryptography, and access control with EN 18031
- Choose between self-assessment or third-party certification
- Prepare documentation and validation reports
- Educate internal stakeholders on RED pathways
Let Sasken be your engineering and compliance partner to ensure your connected products meet the highest cybersecurity benchmarks for the European market.
Need a RED Readiness Workshop or Assessment? Reach out to our certification experts and let’s get started.
