Reach compliance with article 3.3 of the Radio Equipment Directive (RED)

How do you reach compliance with RED article 3.3 as a manufacturer, importer or seller of connected products? Our experts can help you.

> IoT | Testing & Certification > Reach compliance with Radio Equipment Directive (RED) 3.3

What is RED article 3.3 and how does it affect you?

Are you a manufacturer, importer or seller of products with WiFi, Bluetooth, ZigBee, LoRA, NFC, 5G, Matter, or other wireless capabilities and do you do business within the European market? Then RED article 3.3 will impact you.

Article 3.3 of the RED (Radio Equipment Directive) is an EU regulatory update introducing cybersecurity requirements for radio equipment, including IoT devices, to protect against privacy breaches and cyber threats. This directive requires manufacturers to design secure products, implement secure software updates, and comply with the new standards. RED 3.3 will come into effect in August 2025.

Which products fall under RED 3.3?

The following connected products will be covered by RED article 3.3:

1. Mobile devices and smartphones
2. Smart watches and wearables
3. Smart home devices and IoT devices
4. Drones and unmanned aerial vehicles (UAVs)
5. Connected vehicles (automotive IoT)
6. Modems, routers and communication modules
7. Smart meters
8. Payment systems and mobile POS devices
9. Emergency response equipment

Image in image block

What are the requirements of RED 3.3?

The RED article 3.3 requires connected products to be secure. You have to make sure, for example:

  • That radio equipment does not harm network functionality or misuse resources.
  • That personal data and the privacy for internet connected devices, such as wearable devices and toys, are protected.
  • That devices handling virtual money or monetary value, securely process this data.

The EN 18031 standards provide a practical framework for meeting RED 3.3 cybersecurity requirements. These standards break down the key expectations mentioned above, that are outlined in articles 3.3 (d), (e), and (f) of the RED. Specifically, EN 18031-1 addresses article 3.3 (d) by ensuring that devices don’t disrupt network functions or misuse resources, supporting secure network operations. EN 18031-2 focuses on article 3.3 (e), protecting personal data and privacy for internet-connected devices like wearables and toys. Finally, EN 18031-3 meets article 3.3 (f) by safeguarding the secure handling of data for devices that process virtual money or hold monetary value.

Your challenges

Deciphering requirements: Understanding the specific impacts of articles 3.3(d), (e), and (f) on product security and privacy protocols.

Integrating Security by Design: Embedding cybersecurity into all product aspects—design, firmware, software—often requiring new expertise and resources.

Proving compliance efficiently: Navigating the certification process and market surveillance while balancing speed-to-market and cost.

How we support you

Secura and Bureau Veritas offer a streamlined compliance path tailored to RED article 3.3 requirements, covering each critical area. To help you reach RED 3.3 compliance, we use the EN 18031 standard, as this covers all the requirements of the RED article 3.3. Successfully completing all of the steps below assures that the product is compliant with RED 3.3, as well as UK PSTI.

01

RED article 3.3 Workshop

Understand the article's key requirements and their impact on your products.

02

Product Design Review

Align your design with RED article 3.3 to ensure compliance.

03

Risk Analysis and Gap Assessment

Identify any security gaps in line with EN 18031 standards for network security, data privacy, and secure transaction processing.

04

Product Testing

Verify compliance with industry-leading standards (ETSI EN 303 645, IEC 62443-4) recognized globally.

05

Certification through Bureau Veritas

Obtain your EU Type Examination Certificate for RED compliance and access to the EU market.

Our expertise in RED article 3.3 compliance

Secura, as Bureau Veritas’s cybersecurity division, combines global certification expertise with deep knowledge of EU compliance standards. Trust our team to guide you through each step, ensuring not only compliance but also lasting cybersecurity resilience for your products and business. We offer:

  • Regulatory expertise: Our team has experience with RED article 3.3 and EN 18031 standards, to give you a seamless compliance journey.
  • Full-Service support: We offer end-to-end services covering design review, testing, and preparation for certification.
  • Efficiency and reliability: Secura has a solid track record of timely, cost-effective compliance support.
Image in image block

Watch our webinar on RED 3.3

You're invited to watch our Webinar on Demand: Understanding and Complying with the RED article 3.3 Directive for Products with Wireless Capabilities. Your hosts, Hugo Lenssen, Program Manager at RDI, the Dutch Authority for Digital Infrastructure; Michael Beine, Business Unit Manager Cybersecurity at Bureau Veritas; and Jasper Nota, Senior Security Specialist at Secura, will guide you through the essentials.

Watch webinar here

RED 3.3 FAQ

Which products don't fall under RED 3.3?

Device exceptions to the RED are devices covered by other regulations and directives, such as medical devices, civil aviation, motor vehicles, electronic road toll systems, etc. The National inspection of digital infrastructure (RDI), which is the enforcement authority within the Netherlands that verifies whether the products that have been placed on the market actually meet the requirements, published an overview of product categories and specific products that fall under the RED 3.3. You can find more information in this article: Which products must comply with Article 3.3 of the RED? (Dutch only).

What is the timeline for RED 3.3. compliance?

All RE devices that will be placed on the market after the 1st of August 2025, will have to be compliant with RED 3.3. If the product is placed on the market before this date, the product is not required to comply with RED 3.3. However, if any further updates or changes are made to the product while on the market, it will require compliance. A typical RED 3.3 compliance journey takes around 9 months to complete.

What is the relationship between CRA and RED 3.3?

RED 3.3 only focuses on the security of the device itself (hardware, software, firmware and interfaces), and not on the connected components and all the phases of the life cycle, as the Cyber Resilience Act (CRA) does. RED 3.3 however, is a part of the CRA requirements, which will come into effect in the coming years. The compliance journey of RED takes the first steps in the preparations for the CRA. Read more about the CRA.

Contact us

Do you want to know more about how we can help you reach RED article 3.3 compliance? Fill out the form and we will contact you within one business day.

USP

Why choose Secura | Bureau Veritas

At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.

Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.