RED 3.3: How to Get Compliant with the EU Radio Equipment Directive

If your company builds or sells connected devices that use radio technologies in Europe, there’s a critical update you need to prepare for. Starting August 1, 2025, new cybersecurity rules under the Radio Equipment Directive (RED) 3.3 become mandatory.

These rules will apply to a wide range of IoT devices and require stronger security by design. In this guide, we break down who’s affected, what needs to be done, and how Exein can help you to get ready in time to avoid potential trouble.

We just released the Radio Equipment Directive 3.3 Guide. Use it as a resource as you navigate RED 3.3 compliance.

What Is RED Article 3.3

The Radio Equipment Directive (2014/53/EU) is an EU law that sets rules for selling radio equipment in Europe. It ensures the equipment is safe, doesn’t interfere with other devices, and uses the radio spectrum efficiently.

It sets safety and performance standards for any product that uses radio waves to communicate in the EU. Its Article 3.3 (d), (e), and (f) introduce new cybersecurity requirements, focusing on:

• Protecting networks from threats
• Securing personal data
• Preventing fraud or misuse

These requirements were published in 2022, with a three-year transition period. From August 1, 2025, compliance is no longer optional.

Which Products Are Covered?

RED Article 3.3 applies to the following connected products:

• Smartphones, tablets, laptops
• Smart home and IoT devices (e.g. lights, thermostats, TVs)
• Smart watches, wearables and toys with connectivity
• Payment systems and POS devices
• Modems, routers and communication modules
• Emergency response equipment
• Connected medical or childcare monitors

Devices already covered under more specific EU legislation (such as medical, automotive, or aviation regulations) are excluded, if equivalent cybersecurity requirements are in place, and depending on product categories and harmonized standards.

Products placed on the market before August 2025 are not affected unless updated or re-launched.

Who Needs to Comply?

The rules apply to all businesses placing affected products on the EU market, including:

• Manufacturers: Must ensure radio equipment meets EU cybersecurity rules and have technical documents to prove it.
  • Authorised Representatives: Can be appointed to help manufacturers comply, keep documents, and work with authorities if needed.
• Importers: Must verify compliance and ensure manufacturers have fulfilled their obligations.
• Distributors: Must check for CE marking, proper documents, and avoid selling non-compliant products.

Everyone in the supply chain shares responsibility for ensuring compliance.

What are the requirements to meet RED 3.3 standards?

To meet RED Article 3.3 requirements, your product must:

1. Protect the Network - Article 3.3 (d)

• Use network resources efficiently, without stressing the network. This means:
  • Avoid overloads
  • Abusive signalling
  • Any other behavior that drags down service quality for others

 2. Protect User Data - Article 3.3 (e)

• Safeguard all personal data wherever it is stored, processed or transmitted, through:
  • Built-in Encryption
  • Strong user authentication
  • Fine-grained access controls
  • Data-minimization
• Allow users to remain in control: they should be able to adjust privacy settings, delete or export their data whenever they choose.

3. Prevent Fraud - Article 3.3 (f)

• Build in anti-fraud safeguards to block cloning, tampering, and other fraudulent use, such as:
  • Secure Boot
  • Unique device signatures
  • Strong user/device authentication

How to Prove RED 3.3. Compliance

To legally sell your connected product in the EU, you must show it meets the RED cybersecurity requirements. Here's how:

1. Follow the EN 18031 series of harmonised cybersecurity standards

The European Commission publishes harmonised standards that define what compliant security looks like.

EN 18031-1: General cybersecurity requirements

EN 18031-2: Privacy and data protection

EN 18031-3: Fraud protection measures

By fully applying these standards, you will be able to self-declare compliance.

If you don’t follow them or only apply parts, you must justify your approach , and you may need to involve a Notified Body (see point 5).

2. Declaration of Conformity (DoC)

This is a signed statement that your product meets all the relevant EU requirements. It should include:

• Product name and model
• Applied standards (e.g., EN 18031)
• Manufacturer/importer details
• Signature from an authorized person

You must keep it available for EU authorities upon request.

3. Technical Documentation

You need to compile and retain a technical file that proves how your product complies. It must include:

• Product description and intended use
• Design and safety features
• Risk analysis and how risks are mitigated
• Test reports for security and connectivity
• Instructions for use and installation

This must be kept for 10 years after placing the product on the EU market.

4. Apply the CE Mark

Once you've completed the steps above, add the CE marking to your product, its packaging, and user materials.

This shows your product is safe and compliant with EU law.

5. Notified Body Assessment (If Required)

You must involve a Notified Body if:

• Your device is considered high risk (e.g., handles financial data, performs OTA updates, processes sensitive personal info)
• Or you don’t follow harmonised standards in full

You can find a full, searchable list of RED Notified Bodies on the NANDO database.

What If You Don’t Comply?

Failing to meet RED Article 3.3 can lead to:

Fines

They’re set by each Member State, and must be effective, proportionate, and dissuasive.

Product Bans and prohibition on CE marking

Non-compliant products may be removed from sale, recalled, or blocked at EU borders.

 Legal Liability

If a security flaw in your product leads to a data breach or network attack, your company could face lawsuits and compensation claims. Related laws (like GDPR) allow for fines up to €20 million or 4% of global turnover.

Exein Helps You Meet RED 3.3. Compliance

At Exein, we simplify your path to Radio Equipment Directive (RED) Article 3.3 compliance.

We start by helping you understand the regulation, assess how it applies to your products, and review your design for compliance risks.

Our platform then adds built-in security features like secure boot, data protection, and threat detection, aligned with EN 18031 standards.

Finally, we test your devices not only for RED but also for broader EU regulations like the Cyber Resilience Act, making your compliance faster, complete, and future-proof

You’re still in time to avoid potential trouble, don’t hesitate to Book a Demo and secure your products.

Reach compliance with all EU regulations: RED, CRA, DDP

The Radio Equipment Directive (RED) 3.3 cybersecurity update marks a major step in the EU’s digital product regulation. It affects almost every connected product on the market, and it will be soon accompanied by the Cyber Resilience Act and the Digital Product Passport.

Together, these regulations define the EU’s direction: stronger cybersecurity, and more product transparency than ever before. Contact us and make sure to be ready and compliant.

Timeline

Apr 16, 2014 – RED officially adopted, replacing the old R&TTE Directive in EU

Jun 13, 2016 – RED enforcement begins for all EU radio equipment

Jan 12, 2022 – RED updated to include cybersecurity requirements (Art. 3.3)

Jan 30, 2025 – Final harmonised standards (EN 18031) published officially

Aug 1, 2025 – RED 3.3 cybersecurity rules become mandatory

Sep 2026 – Cyber Resilience Act (CRA) initial obligations begin

Dec 2027 – Full CRA and Digital Product Passport (DPP) rules come into effect