Services
About Us

As a global safety science leader, UL Solutions helps companies to demonstrate safety, enhance sustainability, strengthen security, deliver quality, manage risk and achieve regulatory compliance. 

Overview
UL Solutions Consumer Information

See how we put safety science to work to help create a safer, more secure and sustainable world for you.

Learn more
Resources

Explore our business intelligence-building digital tools and databases, search for help, review our business information, or share your concerns and questions.

Overview
UL Solutions Market Access Portal

Accelerate your planning process and learn the requirements needed to take your products to market worldwide.

Visit
myUL® Client Portal

A secure, online source for increased visibility into your UL Solutions project files, product information, documents, samples and services.

Go to myUL
Certification Database — UL Product iQ®

Access UL certification data on products, components and systems, identify alternatives and view guide information with Product iQ.

Visit
Industries
View All
  • Software and Products
  • Service

UL Solutions Cybersecurity for RED Compliance

Learn more about Article 3.3 of the European Commission’s Radio Equipment Directive 2014/53/EU (RED), which addresses radio-specific device requirements ranging from common interfaces to cybersecurity.

Contact us
Friends sharing information on smartphones

Overview of the Radio Equipment Directive (RED) 2014/53/EU

Key provisions of RED 

The European Commission’s (EC) Radio Equipment Directive 2014/53/EU (RED) establishes a regulatory framework for radio equipment, setting essential requirements for safety and health, electromagnetic compatibility (EMC) and radio spectrum efficiency. Article 3.3 of the Directive includes device requirements related to specific categories of radio equipment, ranging from common interfaces to cybersecurity.

Timeline for compliance

On Jan. 12, 2022, the Official Journal of the European Union published delegated Regulation 2022/30/EU, enforcing compliance requirements to RED Article 3.3(d), (e) and (f). The regulation aims to provide network security, personal data protection, and privacy and fraud protection for applicable wireless devices available on the EU market (see figure). It took effect Feb. 1, 2022, and becomes mandatory on Aug. 1, 2025, giving device manufacturers a 42-month transition period.    

Detailed analysis of RED Article 3.3 cybersecurity requirements

RED Article 3.3 Cybersecurity

RED Article 3.3 Cybersecurity shown on a chart

Network protection under Article 3.3(d)

Article 3.3(d) improves network protection. Device manufacturers will have to include features that avoid harming communication networks and prevent the device from disrupting functionality.

Personal data and privacy under Article 3.3(e)

Article 3.3(e) strengthens personal data and privacy protection. For example, device manufacturers will have to implement measures to prevent unauthorized access or transmission of consumers’ personal data.

Anti-Fraud Measures under Article 3.3(f)

Article 3.3(f) reduces the risk of fraud. Device manufacturers will have to include features such as improved user authentication control to minimize fraudulent electronic payments and monetary transfers.

Scope and impact of RED cybersecurity requirements

Devices covered by the new regulation

The new regulation covers devices that can communicate over the internet, whether directly or via other equipment. Radio equipment that may expose sensitive personal data is also in scope. For example:

  • Mobile phones, tablets and laptops
  • Wireless toys and children’s safety equipment, such as baby monitors
  • Wearable devices, such as smartwatches and fitness trackers
  • Wireless energy and industrial products such as EV chargers, energy meters, industrial wireless sensors, industrial IoT edge computers and automation controls, industrial routers and antennas, and smart motors.

Article 3.3(d) applies to devices related to network protection. Article 3.3(e) applies to equipment that processes personal data, traffic data or location data (for detailed data definitions, refer to Article 4(1) and 4(2) of EU Regulation 2016/679 and Article 2(b) and (c) of Directive 2002/58/EC).

Article 3.3(f) applies to radio equipment that enables the holder or user to transfer money, monetary value or virtual currency as defined in Article 2(d) of EU Directive 2019/713. Cybersecurity measures should factor in emerging crime trends in the electronic payments industry, such as crypto-jacking, ransomware, near-field communication-related fraud and biometric authentication tampering.

Exemptions and special considerations

Devices already within the scope of EC Regulations 2019/21446 (type examination for vehicles), 2018/11397 (civil aviation) or Directive 2019/520 (electronic road-toll systems) that have similar security requirements do not fall under the new Article 3.3 (e) and (f) but shall comply with Article 3.3 (d).

Overview of EN 18031 series standards and UL Solutions’ role in facilitating RED compliance

In August 2022, the EC issued a standardization request to the European Standard Organization (ESO) CEN/CENELEC, which initiated the work on the harmonized standards. UL Solutions reviewed the first draft of the proposed standard and submitted several comments to help improve the document.

On Aug. 14, 2024, the candidate harmonized standards, the EN 18031 series of standards, was officially released. The standards were officially published in August 2024.

EN 18031 consists of three parts: EN 18031-1, EN 18031-2 and EN 18031-3, and covers Article 3.3(d), (e) and (f), respectively.

  • EN 18031-1:2024 – Common safety requirements for radio equipment - Part 1: Internet-connected radio equipment
  • EN 18031-2:2024 – Common safety requirements for radio equipment - Part 2: Data processing radio equipment, including internet connected radio equipment, childcare radio equipment, toy radio equipment and wearable radio equipment
  • EN 18031-3:2024 – Common safety requirements for radio equipment - Part 3: Internet connected radio equipment handling virtual currency or monetary value

The EN 18031 standard series was harmonized on Jan. 28, 2025, with Implementing decision - 2025/138 - EN - EUR-Lex with restrictions. In parallel, the guidance documents were published by DG Grow to support the harmonization.

Manufacturers may apply the EN 18031 standards and will no longer require a Notified Body (NB) if they are fully compliant. However, any other standards, including PSA, EN 303 645, ISA/IEC 62443, etc., will still require an NB.

Also, if restrictions apply, it is mandatory for the manufacturer to go to an NB unless the manufacturer has applied the relevant EN 18031 standards in full and is not breaking the “restrictions.” An NB is not required under these circumstances.

EN 18031-1:2024 (internet-connected radio equipment): Restrictions

  • The "rationale" and "guidance" sections do not guarantee compliance*
  • Allowing users to operate the device without setting a password

* To expand on point one, these sections serve the following purposes:

  1. Rationale: Explains the reasoning behind specific requirements, helping manufacturers and evaluators understand why certain security measures are necessary.
  2. Guidance: Offers additional information on how to implement or interpret the requirements, providing practical advice for manufacturers.

It's important to note that while these sections are valuable for understanding and implementing the standard, they do not confer a presumption of conformity with the essential requirements set out in Article 3(3) of Directive 2014/53/EU. This means that following the guidance or understanding within the rationale alone is not sufficient to demonstrate compliance with the RED cybersecurity requirements.

EN 18031-2:2024 (radio equipment processing data): Restrictions

  • The "rationale" and "guidance" sections do not guarantee compliance*
  • Allowing users to operate the device without setting a password
  • Inadequate parental/guardian access controls for specific device classes (i.e., implement effective parental/guardian access controls for relevant device categories)

EN 18031-3:2024 (equipment processing virtual money): Restrictions

  • The "rationale" and "guidance" sections do not guarantee compliance*
  • Allowing users to operate the device without setting a password
  • If a toy does not ensure parental or guardian access control, then NB is required
  • Standard assessment criteria set out in clause 6.3.2.4 are not adequate. In the main text paragraph (8) explains: Clause 6.3.2.4 of harmonized standard EN 18031-3:2024 includes assessment criteria for secure updates. Four different implementation categories are established, based on digital signatures, secure communication mechanisms, access control mechanisms or others. None of the methods alone is sufficient for the treatment of financial assets. It is considered that the assessment criteria do not properly address the relevant authentication risks and cannot therefore ensure conformity with the essential requirement set out in Article 3(3), first subparagraph, point (f), of Directive 2014/53/EU.
  • From the “guidance”: A manufacturer of products covered by harmonized standard EN 18032-3:2024 to which clause 6.3.2.4 applies does not benefit from presumption of conformity regardless of the design of the product. A third-party conformity assessment is mandatory.

The harmonized standards, EN 18031, support the essential requirements laid out in Article 3.3 (d), (e) and (f) and contain technical specifications for radio equipment in scope. These specifications cover topics such as network traffic monitoring, denial of service attacks mitigation, authentication and access control mechanisms, secure update mechanism and attack surface reduction. Additionally, specifications address data security and privacy — specifically aiming at issues such as preventing the accidental or unauthorized storage, processing, access, disclosure, destruction or loss of data. Users also have the ability to easily delete their personal data stored on a device before disposing of it to prevent the exposure of their information.

Why choose UL Solutions for RED cybersecurity compliance

Expertise in cybersecurity and compliance

RED impacts any manufacturer producing radio equipment to be sold on the EU market.

Manufacturers will be responsible for cybersecurity throughout the entire life cycle of the device. UL Solutions can help you progress towards RED compliance with advisory services that highlight gaps and provide educational guidance that can help you reach your objectives.

Comprehensive support from strategy to implementation

UL Solutions can support you regardless of your current development stage. For early-stage projects, we can help you understand how to apply security-by-design and embed security in your governance and processes. To this end, we offer training and workshops led by our security experts to equip your team with the knowledge to successfully implement your products.

For projects in a later development stage, we can assist you with a gap analysis or full compliance assessment to EN 18031-1/EN 18031-2/EN 18031-3,  EN 303 645 and IEC 62443-4-2, which will help you increase the security posture of your products. The latter two standards have requirements that overlap with those to address the Essential Requirements for RED and will greatly support your readiness for RED.

Compliance advisory and training services

RED DA and EU Regulatory Landscape Workshop

This workshop provides an overview of the EU cybersecurity regulatory landscape, setting the stage for a deeper understanding of the RED DA for Article 3.3(d), (e) and (f) and its importance in enhancing the security and privacy of connected devices along with the future impacts of the Cyber Resilience Act.

Advisory services

We offer training services for customers at every step of their journey toward RED compliance.

  • Basic – Level 1: Initiation

    Basic advisory services are designed for manufacturers starting their journey into the RED DA and looking for an expert to help identify the major gaps toward future compliance.

  • Substantial – Level 2: Developing

    Substantial advisory services are designed for manufacturers that have already started working on their compliance with RED DA and have prior experience with cybersecurity certifications.

  • High – Level 3: Defined

    These services are designed for manufacturers that are well on track on their journey to compliance with RED DA and looking for an expert to evaluate their work.

Conformity assessment services

In some cases, manufacturers must demonstrate the conformity of their products through assessment by an NB. As an NB, UL Solutions can provide assessment services for Article 3.3 (d), (e) and (f) of the RED. This will allow manufacturers to confirm compliance earlier than the mandated date of Aug. 1, 2025, helping them avoid a potential peak period of product testing.

In addition, to help manufacturers enter global markets smoothly, we provide assessment, testing and certification services for:  

  • EN 303 645: Cybersecurity for Consumer Internet of Things
  • The Cyber Resilience Act (CRA)
  • ISA/IEC 62443: Security for Industrial Automation and Control Systems
  • The U.K. Product Safety and Telecommunications Infrastructure Act (PSTI)
  • US NISTIR 8259A: IoT Device Cybersecurity Capability Core Baseline
  • US NISTIR 8425: Profile of the IoT Core Baseline for Consumer IoT Products
  • California Internet of Things Security Act SB 327
  • Singapore Cybersecurity Labeling Program (CLS)
  • UL Verified IoT Device Security Rating (MCV 1376)
  • ISO 27001: Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems
  • FIPS 140-3
  • Common Criteria

Summary of RED cybersecurity compliance 

The Radio Equipment Directive (RED) 2014/53/EU introduces crucial cybersecurity requirements for internet-connected devices and those handling sensitive personal data. Solutions and technical specifications are available to help you meet these requirements. Manufacturers must comply with these regulations by Aug. 1, 2025. UL Solutions offers comprehensive support for RED compliance, including advisory services, gap analysis and conformity assessments. The expertise covers various stages of product development, from early-stage security-by-design implementation to later-stage compliance evaluations. Given the complexity of these new regulations and the approaching deadline, manufacturers are encouraged to contact UL Solutions for guidance and support in achieving RED compliance and ensuring their products meet the necessary cybersecurity standards for the EU market. 

Download our resources
Cybersecurity

Cybersecurity Requirements in the Radio Equipment Directive

930 KB
Download
Radio

Radio Equipment Directive Cybersecurity FAQ

180 KB
Download
X

Get connected with our sales team

Thanks for your interest in UL's products and services. Let's collect some information so we can connect you with the right person.

Related resources

Related offerings

Related solutions