Newsletter
Contact
Technical support Sales

Call-back service

Project enquiry

Radio Equipment Directive (RED):
EU directive for radio equipment

From August 2025, the Radio Equipment Directive (RED) will require manufacturers to implement specific IT security requirements in radio equipment. This EU-wide regulation on RED cybersecurity lays the foundation for enhanced security in connected communications. With a high-performance industrial routers and reliable managed services, INSYS icom supports RED compliance and helps ensure long-term future viability.

Get advice now
To the exclusive expert talk

Page navigation:

Definition RED
Target group
Requirements
Our offer
Expert talk
Security & Compliance
FAQ


The Radio Equipment Directive (2014/53/EU) has been revised in response to increasing cyber threats. From 1 August 2025, it requires internet-enabled radio equipment, such as industrial routers, to meet essential cybersecurity requirements. The aim is to establish a uniform level of protection within the EU internal market, with regard to network security, data protection and the prevention of misuse. Companies, especially operators of critical infrastructures, are under considerable pressure to act – from adapting existing development processes through to conformity assessment.

What is the Radio Equipment Directive?

The Radio Equipment Directive (2014/53/EU), or RED for short, has regulated the placing of radio equipment on the EU internal market since 2014. In 2021, the directive was extended to include specific cybersecurity requirements, which will become mandatory from 1 August 2025.

The aim of the extended Radio Equipment Directive is to strengthen the network security of radio equipment, protect personal data and prevent fraud. The scope covers all devices with radio functionality, such as Wi-Fi or cellular radio modules, that are connected to the internet or enable communication between devices.

The technical requirements include protection against unauthorised access, ensuring data availability and integrity, and safeguarding personal data. Relevant standards for technical implementation include EN 18031-1:2024, EN 18031-2:2024 and EN 18031-3:2024.

What are the new provisions of the extended RED?

The original RED focused on essential requirements for radio equipment, particularly electromagnetic compatibility (EMC) and the efficient use of the radio spectrum. The most recent revision adds specific provisions on cybersecurity to these requirements.

New mandatory requirements now apply, particularly for internet-connected devices:

  • to ensure network security
  • to protect personal data
  • to safeguard against misuse

These adjustments are a response to the growing threat landscape in the field of connected products.

Who is affected?

The new Radio Equipment Directive cybersecurity requirements affect a wide range of stakeholders along the value chain of connected radio equipment. In particular, the following groups must prepare for the tightened security provisions:

Manufacturers of radio equipment, such as industrial routers, IoT gateways or other devices with radio modules.

Importers and distributors placing such devices on the EU internal market.

Operators of critical infrastructures who use connected radio technology and rely on stable and secure communication systems.

Relevant industries: energy supply, transport, water supply and wastewater management, healthcare, public administration, industrial automation and other security-critical areas with internet or wireless connectivity

What does the RED actually mean?

Specific obligations:

  • Integration of ‘security by design’ into product development
  • Proof of secure communication, for example via TLS in accordance with BSI TR-02102-2
  • Protection against data leaks, manipulation and unauthorised access
  • Execution of a conformity assessment, including documented risk analysis and technical security measures

Operational requirements:

  • Establishment of lifecycle management for security updates and software maintenance
  • Active monitoring of vulnerabilities, including their assessment and remediation, for example through CVE management

Obligation to provide evidence:

  • Technical documentation
  • Risk assessments
  • Test and inspection evidence demonstrating conformity
Get advice now

What needs to be done and by when?

The extended requirements of the RED will apply from 1 August 2025. No transitional period is planned. From that date, the requirements will be binding for all affected devices.

Key challenges:

  • Technical implementation of new security mechanisms such as encrypted communication, access protection and logging of security-relevant processes
  • Adaptation of development, testing and quality processes to principles such as ‘security by design’ and update capability
  • Reorganisation of internal responsibilities and training of development teams in handling regulatory requirements and relevant RED cybersecurity standards
  • Establishment of sustainable verification and documentation processes for configurations, software versions and security-relevant changes

Timeline Radio Equipment Directive

January 2022

Publication Delegated Regulation (EU) 2022/30 with the addition of cybersecurity provisions Article 3.3 d/e/f

February 2022

Formal start of application of RED Article 3.3 d/e/f with transition period

January 2025

Issue of the harmonised RED cybersecurity requirements

1st of August 2025

Mandatory start of validity RED Article 3.3 d/e/f

What are the penalties?

Failure to comply with the Radio Equipment Directive cybersecurity requirements can lead to serious consequences:

  • Sales ban on non-compliant devices within the EU internal market
  • Substantial fines, depending on the nature of the violation
  • Obligation to recall products already delivered
  • Public warnings issued by market surveillance authorities regarding affected devices

Achieve RED compliance – with INSYS icom

Benefit from our cyber-secure and standards-compliant solutions.

Request offer now

INSYS icom solution expertise

Secure device architecture

Router architecture with BSI-compliant security features.

null

Security updates

Automated roll-out of security-relevant updates with audit-proof documentation to fulfil the obligation to provide evidence via icom Router Management.

null

Lifecycle support

Long-term provision and maintenance of security-relevant software updates throughout the entire product lifecycle.

null

Security audits

Audit-proof logging of all configuration changes and access to the router.

null

Secure Development Lifecycle

Implementation of IEC 62443-4-1 compliant processes throughout the entire product lifecycle.

null

Secure remote access

Managed VPN service with strong authentication, encrypted connections and central key management.

null

These measures provide targeted support for companies in implementing the RED by technically securing the required regulatory security standards, fulfilling key evidence and control obligations, and enabling IT-based transparency.

The added value: significant relief in audit preparation, minimised operational risks and demonstrably higher security levels across connected infrastructures.

Update management according to RED:
Implementation with icom Router Management

icom Router Management (iRM) provides a RED-compliant update infrastructure in accordance with EN 18031-1 and ensures a secure update mechanism. Whether automated or approval-based, iRM supports the secure implementation of key requirements for securing radio equipment. By using strong cryptography and tamper-proof distribution, iRM sets standards for secure, scalable and RED-compliant device management throughout the entire lifecycle.

RED Requirement (EN 18031-1) Implementation via iRM + icom OS
Remote software/firmware updates must be secure and authorized iRM uses certificate-based signing and encryption for update packets, validated by icom OS routers before installation.
Update must prevent unauthorized modifications Optionally, only packages with a verified digital signature or encrypted content from a trusted certification authority can be accepted.
Fallback-safe update strategies Updates can be scheduled, manually approved, or executed unattended, ensuring flexibility for safe deployment.
Integrity and authenticity validation before execution Routers validate update integrity using hashes and enforce use of verified certificates.
Tamper protection Routers reject unsigned or unverified packets. Customers can configure enforcement policies within the router interface.
Human supervision possible but not required iRM supports fully automated, semi-automated, or manual supervised updates. This satisfies RED’s ‘under human approval OR no-harm assurance’ clause.
Traceability of updates and access All update actions are logged and visible in the iRM dashboard and can be audited.

More about icom Router Management

Get exclusive video access now

Simply fill out the form to gain immediate access to the expert talk.

Expert talk on the RED

In this expert talk, INSYS icom demonstrates how RED compliance and cybersecurity
can be successfully implemented in practice.

Security & Compliance

Here you will find relevant evidence and documents on RED conformity, certified development processes and IT security measures from INSYS icom.

Radio Equipment Directive – Frequently asked questions

When do the new Radio Equipment Directive cybersecurity requirements apply?

The new requirements must be implemented from 1 August 2025. No transitional period is planned.

Which products are affected by the RED cybersecurity requirements?

All radio equipment that enables communication over the internet or controls internet-based communication processes is affected.

How does INSYS icom support implementation?

INSYS icom provides support with secure hardware, a BSI-compliant software architecture, encrypted VPN connections and automated security updates, including audit-proof documentation of evidence via icom Router Management.

What is audit-proof verification documentation?

Changes to configurations and system access are automatically logged and securely archived. The evidence is protected against subsequent changes and can be traced at any time.

How does icom Router Management support the implementation of RED cybersecurity requirements?

icom Router Management enables automated software updates, centralised management of device configurations and audit-proof documentation of security-relevant processes.

Does the INSYS icom VPN service fulfil the requirements of the RED directive?

Yes, the icom Connectivity Suite – VPN offers encrypted connections with strong authentication and therefore fulfils key requirements of the RED cyber security guidelines.

INSYS icom also meets these cybersecurity requirements

NIS 2

The NIS 2 Directive (Network and Information Security) sets out binding cybersecurity requirements for critical infrastructures.

More about NIS2

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) obliges manufacturers of digital products to ensure cyber security throughout the entire product life cycle.

More about CRA

Learn more about our secure products

Router & Gateways

Maximum IT security and regulatory
compliance

Routers & gateways

Router Management

Encrypted, tamper-proof
remote access

icom Router Management

VPN service

Centralised management for updates,
configurations and documentation

icom Connectivity Suite – VPN

Any questions left? We will be happy to assist you!