RED 3.3: How to Get Compliant with the EU Radio Equipment Directive

Exein -

If your company builds or sells connected devices that use radio technologies in Europe, there’s a critical update you need to prepare for. Starting August 1, 2025, new cybersecurity rules under the Radio Equipment Directive (RED) 3.3 become mandatory.

These rules will apply to a wide range of IoT devices and require stronger security by design. In this guide, we break down who’s affected, what needs to be done, and how Exein can help you to get ready in time to avoid potential trouble.

What Is RED Article 3.3

The Radio Equipment Directive (2014/53/EU) is an EU law that sets rules for selling radio equipment in Europe. It ensures the equipment is safe, doesn’t interfere with other devices, and uses the radio spectrum efficiently.

It sets safety and performance standards for any product that uses radio waves to communicate in the EU. Its Article 3.3 (d), (e), and (f) introduce new cybersecurity requirements, focusing on:

  • Protecting networks from threats
  • Securing personal data
  • Preventing fraud or misuse

These requirements were published in 2022, with a three-year transition period. From August 1, 2025, compliance is no longer optional.

Which Products Are Covered?

RED Article 3.3 applies to the following connected products:

  • Smartphones, tablets, laptops
  • Smart home and IoT devices (e.g. lights, thermostats, TVs)
  • Smart watches, wearables and toys with connectivity
  • Payment systems and POS devices
  • Modems, routers and communication modules
  • Emergency response equipment
  • Connected medical or childcare monitors

Devices already covered under more specific EU legislation (such as medical, automotive, or aviation regulations) are excluded, if equivalent cybersecurity requirements are in place, and depending on product categories and harmonized standards.

Products placed on the market before August 2025 are not affected unless updated or re-launched.

Who Needs to Comply?

The rules apply to all businesses placing affected products on the EU market, including:

  • Manufacturers (inside or outside the EU)
  • Importers bringing devices into the EU
  • Distributors who sell or repackage devices in the EU

Everyone in the supply chain shares responsibility for ensuring compliance.

What are the requirements to meet RED 3.3 standards?

To meet RED Article 3.3 requirements, your product must:

1. Protect the Network - Article 3.3 (d)

  • Your device must not damage or disrupt the networks it connects to (for example, by causing overload or denial-of-service attacks).
  • It must use network resources, including bandwidth, efficiently, so it doesn’t affect other users or services.

Radio Equipment Directive - Article 3.3 (d)

Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service;

 2. Protect User Data - Article 3.3 (e)

  • Devices must protect personal, location, and traffic data during use and transmission.
  • Use basic protection methods such as:
  • Encryption
  • User authentication
  • Access controls
  • Secure data storage
  • Users should be able to control or delete their data when appropriate (e.g., through privacy settings or reset options).

Radio Equipment Directive - Article 3.3 (e)

Radio equipment incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected;

3. Prevent Fraud - Article 3.3 (f)

  • If your product is used for payments or stores sensitive information, it must block unauthorized access.
  • Include features like secure startup, digital signatures, and user verification.

Radio Equipment Directive - Article 3.3 (f)

Radio equipment supports certain features ensuring protection from fraud;

How to Prove RED 3.3. Compliance

To legally sell your connected product in the EU, you must show it meets the RED cybersecurity requirements. Here's how:

1. Follow the EN 18031 series of harmonised cybersecurity standards

The European Commission publishes harmonised standards that define what compliant security looks like.

EN 18031-1: General cybersecurity requirements

EN 18031-2: Privacy and data protection

EN 18031-3: Fraud protection measures

By fully applying these standards, you will be able to self-declare compliance.

If you don’t follow them or only apply parts, you must justify your approach , and you may need to involve a Notified Body (see point 5).

2. Declaration of Conformity (DoC)

This is a signed statement that your product meets all the relevant EU requirements. It should include:

  • Product name and model
  • Applied standards (e.g., EN 18031)
  • Manufacturer/importer details
  • Signature from an authorized person

You must keep it available for EU authorities upon request.

3. Technical Documentation

You need to compile and retain a technical file that proves how your product complies. It must include:

  • Product description and intended use
  • Design and safety features
  • Risk analysis and how risks are mitigated
  • Test reports for security and connectivity
  • Instructions for use and installation

This must be kept for 10 years after placing the product on the EU market.

4. Apply the CE Mark

Once you've completed the steps above, add the CE marking to your product, its packaging, and user materials.

This shows your product is safe and compliant with EU law.

5. Notified Body Assessment (If Required)

You must involve a Notified Body if:

  • Your device is considered high risk (e.g., handles financial data, performs OTA updates, processes sensitive personal info)
  • Or you don’t follow harmonised standards in full

You can find a full, searchable list of RED Notified Bodies on the NANDO database.

What If You Don’t Comply?

Failing to meet RED Article 3.3 can lead to:

Fines

Fines can reach up to €10 million or 2% of global turnover for serious non-compliance, though exact amounts vary by country depending on how RED is enforced at the national level.

Product Bans and prohibition on CE marking

Non-compliant products may be removed from sale, recalled, or blocked at EU borders.

If a security flaw in your product leads to a data breach or network attack, your company could face lawsuits and compensation claims. Related laws (like GDPR) allow for fines up to €20 million or 4% of global turnover.

Exein Helps You Meet RED 3.3. Compliance

At Exein, we simplify your path to Radio Equipment Directive (RED) Article 3.3 compliance.

We start by helping you understand the regulation, assess how it applies to your products, and review your design for compliance risks.

Our platform then adds built-in security features like secure boot, data protection, and threat detection, aligned with EN 18031 standards.

Finally, we test your devices not only for RED but also for broader EU regulations like the Cyber Resilience Act, making your compliance faster, complete, and future-proof

You’re still in time to avoid potential trouble, don’t hesitate to Book a Demo and secure your products.

Reach compliance with all EU regulations: RED, CRA, DDP

The Radio Equipment Directive (RED) 3.3 cybersecurity update marks a major step in the EU’s digital product regulation. It affects almost every connected product on the market, and it will be soon accompanied by the Cyber Resilience Act and the Digital Product Passport.

Together, these regulations define the EU’s direction: stronger cybersecurity, and more product transparency than ever before. Contact us and make sure to be ready and compliant.

Timeline

Apr 16, 2014 – RED officially adopted, replacing the old R&TTE Directive in EU

Jun 13, 2016 – RED enforcement begins for all EU radio equipment

Jan 12, 2022 – RED updated to include cybersecurity requirements (Art. 3.3)

Jan 30, 2025 – Final harmonised standards (EN 18031) published officially

Aug 1, 2025 – RED 3.3 cybersecurity rules become mandatory

Sep 2026 – Cyber Resilience Act (CRA) initial obligations begin

Dec 2027 – Full CRA and Digital Product Passport (DPP) rules come into effect