EU RED Cybersecurity Requirements: What You Need to Know

EU RED Cybersecurity Requirements Explained

In January 2025, the European Commission incorporated EN 18031, “Common security requirements for radio equipment,” as a harmonized standard under RED. 

This mandates that all radio equipment must comply with the cybersecurity requirements in these articles: 

• Article 3(3)(d): Ensures radio equipment communicating over the internet cannot compromise or harm networks (standard: EN 18031-1) 

• Article 3(3)(e): Mandates personal data and privacy security in radio equipment (standard: EN 18031-2) 

• Article 3(3)(f): Protects users from fraud when using radio equipment for financial transactions (standard: EN 18031-3) 

These requirements apply to devices that incorporate radio technology and connect to the internet. Affected devices could include:  

• Mobile phones 

• Wearable devices 

• Connected industrial devices 

• General-purpose IoT applications 

The standards were to be finalized in August 2024. However, delays moved implementation to August 2025. Regardless, manufacturers and IoT solution providers must prepare now. 

EN 18031 Cybersecurity Regulation Standards

The EN 18031 standards focus on the concept of “asset” as a critical parameter or function that must be protected. They establish several requirements that the final manufacturers must satisfy.   

These requirements are grouped in the following areas: 

• Access control mechanism: The device will have appropriate control mechanisms, allowing only authorized entities to access security and network assets.  

• Authentication mechanism: The mechanism must manage access to read, modify or use network function configuration or security parameters. 

• Secure updates: A secure update mechanism is present, and new software is installed with integrity and authenticity. 

• Secure storage mechanism: A secure storage mechanism protects assets’ confidentiality and integrity properties. 

• Secure communication mechanism: The mechanism protects asset communications to ensure authenticity, confidentiality and anti-replay properties. 

• Resilience mechanisms: Practices and functionalities that enhance operational resiliency against denial-of-service (DoS) attacks on network interfaces. 

• Monitoring mechanism: A mechanism to monitor and detect DoS attacks in network traffic.  

• Traffic control mechanism: A mechanism to detect malicious network traffic behavior. 

• General equipment capabilities: Technical and operational practices that enhance vulnerability management through security by design and reduced attack surfaces. 

• Cryptography and appropriate confidential cryptographic keys management: Follow international cybersecurity guidelines in the cryptography area. Reuse relevant international guidelines, such as NIST SP 800-57, SOGIS Agreed Cryptographic Mechanisms, ETSI TS 119 312 and BSI TR-02102-1. 

Different security requirements could apply to the final application, depending on: 

• The device typology 

• The functionalities provided 

• Its intended use  

Compliance with these cybersecurity regulations will be mandatory for all European radio equipment approvals. It is a critical consideration for companies that operate or sell to the EU market. However, compliance is only one part of the IoT security story. 

Beyond Compliance: The Importance of EU RED and Comprehensive IoT Security

RED marks a significant milestone in product security for the European market. It establishes formal, mandatory security requirements for connected devices. The aim is to protect networks and safeguard personal data to prevent fraud. Many industry stakeholders view mandatory cybersecurity provisions as a positive step toward standardizing security in the EU market. 

Despite this security cornerstone, cyberthreats remain. Standards struggle to account for new threats and evolving risk scenarios. Meeting EU RED cybersecurity regulations is the first step toward true IoT security.  

Compliance sets the foundation, but each final application is different. Risks and threats to embedded systems depend on the application and use case. They can vary from one application to another.  

Horizontal regulations and compliance frameworks fail to capture the security challenges and risks of each final application. Manufacturers and value chain stakeholders must assess specific threats and implement tailored security measures. This approach mitigates product-specific vulnerabilities and related risks.   

The Roles of Security by Design and Life Cycle Support

True IoT security extends beyond regulations. Our security by design and life cycle support are two principles that ensure a stronger cybersecurity position.

Security by Design

Secure solutions are must-haves for business across industries. Our security by design approach integrates security into every aspect of the product development process. This includes:

• Threat modeling and risk assessment activities to assess potential threats and evaluate the associated risks 
• Minimization of the attack surface 
• Harmonized security requirements integrated within the product design and life cycle 
• Secure development practices that adhere to industry standards 
• Implementation of several security features to support our customers in their specific vertical markets  
• Extensive testing, including penetration testing and security automation pipelines, to identify and address vulnerabilities in the product life cycle 
• Incident response processes across the product life cycle 

Comprehensive Life Cycle Support

IoT devices often have long lifespans, sometimes operating for a decade or more. During this time, new vulnerabilities may emerge. They require swift action to maintain security. Comprehensive life cycle support includes:

• Immediate response capabilities in the event of a security incident
• Proactive monitoring for potential vulnerabilities, often providing updates before issues become widely known
• Long-term software update support to address new security threats
• Continuous security consultations and support throughout the life cycle of your IoT deployment 

The Value of a Trusted Partner in IoT Security

When selecting an IoT solution, look beyond initial compliance. Consider the total cost of ownership and include long-term security implications. Some providers may offer lower upfront costs. However, risks and expenses associated with security breaches or lack of long-term support can outweigh the savings. 

A trusted partner offers several advantages:

• Experience: Choose a partner with deep roots in cybersecurity. Look for those with expertise in securing critical systems and a proven history of delivering IoT across industries.  
• Long-term support: You can set and forget cybersecurity. When you go with a trusted partner, your IoT devices will remain secure long after deployment. 
• Rapid incident response: An experienced team will quickly respond to security issues, minimizing damage and downtime. 

Real-World Impact: The Cost of IoT Security Breaches

To understand the importance of comprehensive IoT security, consider security breach in scenarios like:

• An alarm system vulnerability, which could compromise home security for thousands of users
• A flaw in tracking systems that might allow unauthorized vehicle control
• Vulnerabilities in industrial IoT devices could lead to production disruptions

The average cost of a successful attack on an IoT device “exceeds $330,000.” According to recent research, at least 30% of data breaches involve an IoT device.

The consequences don’t stop with the immediate technical issue. Companies face potential damage to their reputation and loss of trust. There is also the financial impact of not being proactive.

Forty-four percent of cyber insurance claims are denied because businesses did not meet all security requirements. Adopting cyber insurance without a holistic approach to IoT security does not mitigate the risks.

Companies that partner with a security-focused IoT provider reduce these risks. A comprehensive approach to security helps prevent breaches before they occur. You are also supported in the event of an incident. 

EU RED Cybersecurity Requirements and the Future of IoT Security

IoT security will remain in the spotlight as we implement EU RED cybersecurity requirements. To stay ahead of threats, companies should take specific actions. These include: 

• Prioritize security in their IoT strategy 

• Choose IoT partners with a proven track record 

• Consider the total cost of ownership 

• Stay informed about evolving security standards and best practices 

• Implement a proactive approach 

A Robust and Future-Ready IoT Landscape

While the EU RED cybersecurity requirements are a critical step forward, true IoT security requires a comprehensive approach. It must address both visible compliance regulations and the deeper security aspects. 

With a partner like Telit Cinterion, businesses can navigate IoT security with confidence. Our expertise ensures that your IoT deployments will maintain security now and in the future. 

Our IoT solutions embrace a 360-degree security by design approach. We build security into every layer of your ecosystem and give you holistic, end-to-end protection. We work with you to find a unique solution and provide the tools and confidence to take the next leap forward. 

Speak with our IoT experts about your security approach.