Navigating EU RED Compliance: Meeting the August 2025 Deadline

What is RED and Why It Matters

The Radio Equipment Directive (RED) is the European Union’s regulatory framework for radio-enabled devices. RED wasrecently updated to include strict cybersecurity requirements for IoT and wireless equipment. Its objective is to improve cybersecurity, protect personal data, and prevent misuse of networked devices within the EU.

Three relevant standards apply:

• EN 18031-1:2024: Defines baseline cybersecurity requirements for internet-connected radio devices
• EN 18031-2:2024: Covers security and privacy protections for devices processing personal, traffic, or location data
• EN 18031-3:2024: Sets fraud prevention requirements for devices handling virtual money over the internet        

Manufacturers must ensure that any internet-connected device with radio functionality (from smart home gadgets to industrial sensors) meets baseline security standards, and do not harm communication networks, misuse resources, or compromise privacy.

Starting August 1, 2025, these cybersecurity provisions become mandatory. Devices that fail to comply cannot be sold in the EU market. In the same way GDPR revolutionized data privacy worldwide, the EU’s push on RED is raising the bar for IoT security compliance globally.

What Types of Products Are in Scope for RED?

RED applies to any product with a network connection. This includes both consumer and industrial devices, even if they’re not marketed as “smart” or connected externally.

Examples of in-scope devices:

• WiFi-enabled printer, even if it only operates within a corporate network
• Bluetooth-enabled IoT device, such as smart locks or fitness trackers
• Any device with networking capability, including LAN, WLAN, Bluetooth, Zigbee, LTE, etc.

This directive specifically targets device manufacturers who sell products into the European market, regardless of where the devices are produced or operated.

What Does RED Compliance Entail?

To demonstrate RED compliance, manufacturers must identify and secure all relevant assets across three primary domains: Network, Security, and Privacy. The directive demands a deep, asset-level evaluation of each product’s security.

For every IoT product, companies must:

• ‍Identify every asset in scope: every component (hardware or software module, radio interface, data interface) that could affect security‍
• Evaluate each asset against hundreds of criteria: ensuring it meets requirements for network protection, data privacy, access control, etc.
•  Document access controls, security posture, and more: compiling technical files with risk assessments, test results, and compliance evidence for each asset.
  

Asset Enumeration

Network Assets

Network assets include network functions such as a Bluetooth stack or HTTP server, network function configurations like WiFi settings or open ports, and network interfaces such as a LAN port or wireless interface.

Security Assets

Security assets include security functions like login mechanisms or TLS libraries, security function configurations such as authentication settings or secure boot options, and sensitive assets like keys (e.g., TLS private key), secrets (e.g.,admin password), and other credentials.

Privacy Assets

Privacy assets include privacy functions such as location tracking or data export, privacy function configurations like consent toggles or data retention settings, and personal data such as names, email addresses, or biometric identifiers.

Controls in Scope

Once all assets are identified, manufacturers must document applicable controls per asset.  For RED compliance, manufacturers must verify controls for network protection (preventing unauthorized access or interference), data protection (encryption and privacy of user data), and fraud prevention (stopping device misuse for fraud).

RED requires a layered approach to security controls, tailored to the sensitivity and function of each asset:

Asset Classification Policies

Every asset must be classified (e.g., Confidential, Restricted, Public) based on its potential impact if compromised. This classification guides the required level of protection and monitoring.

Access Control Rules

All assets—particularly secrets and keys—must be protected by access control systems. These rules specify which roles, users, or systems are permitted access. The underlying mechanism may implement RBAC, DAC, MAC, or ABAC. For example, an admin password should only be modifiable by an application administrator, while a pairing code might be publicly accessible (e.g., printed on a device).

Authentication on Interfaces

Any network or user interface that provides access to sensitive functions or datamust enforce authentication. This includes mechanisms such as passwords, secure pairing protocols, or certificate-based access for APIs and Bluetooth connections.

Hardware Protections

If a product relies on hardware-level protection—such as secure elements, TPMs, or tamper-resistant memory—manufacturers must declare this. They are also required to document any publicly known vulnerabilities in the hardware.

Secure Storage

Secrets (e.g., pairing codes, admin credentials), keys (e.g., TLS private keys), and other critical data must be stored using explicit protection mechanisms. These mechanisms may involve logical isolation, encryption, or hardware-backed secure storage.

These controls are not optional. RED requires that each control be defined per asset, per product, and documented for each device sold in the EU. The directive expects that all mechanisms used—whether software or hardware—can be reviewed and validated against the harmonized standards.

How Can I Assess RED Compliance at Scale?

In practice, a single smart device might involve hundreds of individual assets (firmware modules, radios, interfaces), each requiring analysis. Many manufacturers produce a wide set of smart devices for sale in Europe. Assessing RED compliance at scale requires a structured internal audit process.    

Evaluate Your Posture

1. Inventory All Devices: Identify all products in scope that are sold or distributed in the EU.
2. Architecture Review: Analyze diagrams and data flows to trace network exposure and sensitive or personal data usage.
3. Asset Enumeration: Document all network, security, and privacy assets per the categories above.
4. Control Mapping: Record protection mechanisms and any gaps for remediation.

Document Compliance

Compile evidence to support conformity assessments, especially if relying on custom implementations over harmonized standards. Detailed documentation – risk assessment reports, test results, design specifications, and Declarations of Conformity must be prepared for each device. This level of thoroughness is resource-intensive and requires multidisciplinary coordination between engineering, security, and compliance teams.

Clearly AI’s Solution: Automating RED Compliance

Tackling RED compliance manually, asset by asset, is daunting. This is where an automated approach like Clearly AI’s RED compliance solution can be transformative. ClearlyAI is a platform designed to streamline complex security and compliance evaluations. For RED, it addresses the pain points by automating the heavy lifting:

• Automatic Asset Discovery: Instead of manually inventorying every component, Clearly AI ingests your product’s design artifacts (specs, firmware lists, bills of materials) and automatically identifies all assets that fall under RED’s scope.
• RED-Specific Security Evaluations: For each identified asset, Clearly AI runs through an evaluation mapped to the RED criteria. It uses built-in knowledge of the directive’s hundreds of requirements to check whether the asset’s security measures are sufficient.
• Automated Compliance Documentation: Perhaps most importantly, Clearly AI generates the needed documentation as it evaluates the assets. It produces structured reports and compliance documentation tailored to RED – including risk assessments for each asset, descriptions of security controls implemented, test or simulation results, and draft text for the Technical File and Declaration of Conformity.

By the end of the process, you have a ready-to-go evidence package showing how each product meets RED requirements.

Automating RED compliance gives teams real-time visibility into device posture, streamlines documentation for audit readiness, and eliminates manual effort across asset checks—ensuring you meet the 2025 deadline without risking fines or market disruption.

RED Compliance is Crucial for Device Manufacturers

RED compliance is a complex but critical mandate for IoT and wireless device makers. It’s about safeguarding users and networks, and as such, the EU is raising the bar for everyone.

If you're preparing for RED compliance and need support across your device portfolio, contact us at support@clearly-ai.com.

This blog is based on RED Delegated Regulation (EU) 2022/30 and harmonized standards EN 18031-1 and EN 18031-2. All device manufacturers selling network-connected devices in the EU must meet the outlined requirements starting August 1, 2025.

‍