With growing security breaches in connected devices, the EU’s updated RED directive makes cybersecurity compliance mandatory from August 2025. What should Indian sellers know to enter the European market? At Indian Electronics Week 2025 in Bengaluru, Ravindra Kumar Shivaraju from the German testing and certification body TÜV SÜD breaks it down.
For those working in research and development (R&D) teams or startups focused on developing products for global markets, including India and other international regions, one of the primary questions that arises is: How can we successfully and legally sell this product in a specific region?
When a product incorporates wireless capabilities or smart connectivity, the path to market becomes more complex due to numerous regulatory requirements that must be met before entry.
With over 200 countries worldwide, each with its own regulatory environment, navigating compliance can be a significant challenge. In this context, I will focus specifically on the European market, drawing on my role in the Product Testing and Certification department at TUV SUD, a German testing and certification body with more than 150 years of experience, headquartered in Munich.
I will highlight a recent and important update concerning cybersecurity requirements for connected devices, introduced under the Radio Equipment Directive (RED) in the European Union.
The RED 2014/53/EU is a directive that regulates the marketing of radio and wireless communication devices within the EU. Its primary purpose is to ensure that such equipment meets essential requirements relating to health and safety, electromagnetic compatibility (EMC), and efficient use of the radio spectrum.
So, if you intend to sell a product in Europe that connects to the internet via wireless (Bluetooth, Wi-Fi, or cellular), it must comply with RED.
Over the years, RED has served as a framework to ensure that wireless devices, from smartphones to the Internet of Things (IoT) gadgets, operate safely and without interfering with each other or with broader infrastructure.
In response to the growing risks associated with the IoT and increased digital connectivity, the EU expanded RED to include cybersecurity requirements. This move aligns with broader EU digital policy goals, particularly the Digital Decade strategy introduced in 2020.
The EU recognised that connected products, like smart toys, wearable devices, and wireless-enabled payment terminals, are increasingly vulnerable to cyberattacks and privacy breaches.
| In response to the growing risks associated with the IoT and increased digital connectivity, the EU expanded RED to include cybersecurity requirements. This move aligns with broader EU digital policy goals, particularly the Digital Decade strategy introduced in 2020. |
Consequently, the European Commission adopted Delegated Regulation (EU) 2022/30, which supplements RED by activating Articles 3.3(d), (e), and (f). These articles cover network protection from harm, personal data and privacy, and fraud prevention, respectively. The delegated act was published in the EU’s official journal in January 2022.
As of January 2025, the EU has mandated that products falling under the RED must comply with new cybersecurity requirements, which become enforceable from August 1, 2025, following a seven-month transition period. To support this, the EU has introduced three harmonised standards: EN 18031-1, EN 18031-2, and EN 18031-3, published in September 2024 and formally adopted into the EU’s Official Journal in January 2025.
These standards address general cybersecurity principles, personal data protection, and fraud prevention, aligning with the EU’s broader digital policy agenda.
Traditionally, RED focuses on three key areas:
- Health and safety (Article 3.1a)
- Electromagnetic compatibility (EMC) (Article 3.1b)
- Efficient use of the radio spectrum (Article 3.2)
Now, under Article 3.3, the directive expands to include mandatory cybersecurity provisions for connected devices.
Under the RED delegated act, the new cybersecurity requirements apply specifically to products classified into three categories: Category D, which includes devices that connect directly or indirectly to the internet; Category E, covering wearables, toys, and other consumer-connected devices; and Category F, which encompasses payment terminals and similar financial devices. Compliance with these cybersecurity provisions becomes mandatory from August 2025 for all products falling into these groups.
To demonstrate compliance with the RED’s cybersecurity requirements, manufacturers must follow one of two certification routes. Suppose harmonised standards—such as the EN 18031 series—are available and the product fully meets them. In that case, the manufacturer may opt for self-declaration and affix the CE mark to indicate conformity.
However, if the standards are not yet harmonised, or if the product does not fully align with them, certification must be done through a notified body, such as TUV SUD, which will carry out an independent conformity assessment.
This pathway ensures that the product’s cybersecurity measures are validated adequately before being placed on the market.
The EU’s push to strengthen cybersecurity in connected devices stems from broader digital policy initiatives, beginning with the Digital Vision in 2020 and followed by the introduction of the Cyber Resilience Act. These efforts aim to secure the rapidly expanding IoT ecosystem by embedding security principles directly into product design and compliance frameworks.
Certain sectors are explicitly exempt from these new requirements, as other regulatory frameworks already govern them. These include medical and in-vitro diagnostic (IVD) equipment, aerospace systems, vehicle electronics, and some financial tools.
But for all other manufacturers producing connected devices intended for the European market, aligning with RED’s cybersecurity obligations is essential to avoid regulatory barriers and ensure continued market access.
Now, how do we test for this?
Unlike traditional black box testing, we use a grey box approach, meaning we evaluate not just functionality but also the design, firmware, documentation, password protection, and data handling. This form of testing goes beyond surface-level performance and includes techniques such as fuzzing, threat modelling, and vulnerability assessments to uncover hidden security risks.
We also examine how data is stored, managed, and protected. For companies that manufacture a range of similar products, minor design changes may not necessitate retesting. However, modifications, especially those that affect cybersecurity features, must be re-evaluated to maintain compliance.
One common question we receive is: If my product is already in EU warehouses before August 2025, do I need to comply?
If it is a one-time shipment and has already been placed on the market, it is exempt from the new requirements. However, for ongoing sales, new production batches, or market re-entries after that date, full compliance with the updated directive is required. Products placed on the EU market before August 1, 2025, are generally exempt only if they were introduced in a single shipment and are not being resupplied.
Non-compliance can lead to serious consequences, including penalties, product recalls, and market bans. EU authorities conduct market surveillance, and failure to meet mandatory cybersecurity standards will not be overlooked.
Ensuring compliance is not just a regulatory necessity but also a way to demonstrate credibility and build trust with consumers and partners.
So, in summary: if the relevant cybersecurity standards (EN 18031-1, 2, or 3) are published and applicable to your product category, you may follow the self-declaration route and apply the CE mark. If not, you must go through a notified body such as TÜV SÜD for assessment.
These requirements apply to any product that connects directly or indirectly to the internet, including those using Wi-Fi, Bluetooth, or RFID.
Many countries outside Europe also reference or align with EU regulations, so achieving compliance with RED not only grants access to the European market but also supports wider global acceptance.
I hope you now know the best way to prepare for the August 2025 deadline.
Based on a session titled ‘Global Market Access for Connected/Smart Devices’ delivered by Ravindra Kumar Shivaraju, AVP – E&E, TUV SUD, at the Indian Electronics Week, held at the KTPO Expo Centre, Bengaluru, on 26 February 2025. It has been transcribed and curated by Shubha Mitra, Journalist at EFY.
