RED 3.3 – What OEMs need to know
If you build products that connect to the internet and use Wi-Fi or Bluetooth, RED Article 3.3(d)(e)(f) now adds mandatory cybersecurity, privacy, and fraud-prevention requirements before you CE mark and place new products on the EU market. Since Aug 1, 2025, these obligations apply to new radio equipment placed on the EU market. The EU also listed EN 18031-1/-2/-3:2024 as harmonized standards (with restrictions) on Jan 30, 2025, providing a primary standards route to demonstrate conformity.
Who this is for
End-product OEMs/brands shipping connected devices (consumer or industrial) into the EU. Module and component suppliers can help with building blocks and evidence, but system-level Article 3.3 conformity rests with the finished device you place on the market.
What changed (plain English)
The Radio Equipment Directive (2014/53/EU) was supplemented by Delegated Regulation (EU) 2022/30, which “activates” Article 3.3 points:
- (d) Network protection – device must not harm networks or misuse resources.
- (e) Personal data & privacy – safeguards for personal/traffic/location data.
- (f) Fraud prevention – protections where devices enable monetary value/transactions.
Scope: equipment that can communicate over the internet—directly or via other equipment (e.g., a phone, hub, or gateway), and/or processes personal/traffic/location data, and/or enables transactions. Typical in-scope examples: cameras, sensors, wearables, toys, POS/payment devices, appliances, and many industrial endpoints.
Timeline (2025 update)
Jan 30, 2025 — EN 18031-1/-2/-3:2024 cited in the OJEU with restrictions (presumption of conformity when applied within the notice’s limits).
Aug 1, 2025 — Article 3.3(d)(e)(f) mandatory for new radio equipment placed on the EU market (date extended from 2024).
Note: Obligations apply from placement date forward; industry guidance indicates products placed on the market before Aug 1, 2025 are not retroactively affected.
How to comply (checklist for OEMs)
1. Confirm scope & impacted SKUs
Flag every SKU that can reach the internet (directly or indirectly). Document Article 3.3 applicability per SKU.
2. Risk-assess & threat-model the full system
Device + app + cloud + update pipeline. Map risks/controls to 3.3(d/e/f) and to the relevant EN 18031 clauses.
3. Engineer “secure-by-design”
Unique credentials, secure boot/signed firmware, hardening/least-privilege, protected debug, cryptography for data in transit/at rest, rate-limits to avoid network abuse, privacy-by-design, and secure payment/credential flows. Align to EN 18031-1/-2/-3 as applicable.
4. Provide a secure update & vulnerability-handling process
Authenticated updates, vulnerability intake/triage, and lifecycle maintenance plan.
5. Verify and document
Test against applicable EN 18031 parts (mind the OJEU “restrictions”). If you don’t fully apply harmonized standards, use an appropriate conformity-assessment route (e.g., RED Notified Body). Update the Technical File and your EU Declaration of Conformity accordingly.
6. Train teams & monitor updates
Ensure engineering, product, and compliance teams understand 3.3 obligations and watch for OJEU updates or guidance revisions.
The standards path you’ll reference in 2025
EN 18031 series (harmonized with restrictions)
- EN 18031-1:2024 → addresses 3.3(d) network protection
- 18031-2:2024 → addresses 3.3(e) personal data & privacy
- EN 18031-3:2024 → addresses 3.3(f) fraud prevention
Apply what’s relevant to gain presumption of conformity; where restrictions/limits apply, justify equivalence and/or involve a Notified Body.
Quick FAQs
Does using a certified Wi-Fi/Bluetooth module make my device Article 3.3 compliant?
No. It can help, but system-level security, testing, and documentation for the finished device remain your responsibility.
My device connects only via a phone/app—am I in scope?
Typically yes: equipment that communicates over the internet even via other equipment falls within 3.3(d/e/f).
What changed the date to Aug 1, 2025?
Delegated Regulation (EU) 2023/2444 postponed the application date and fixed Aug 1, 2025 as the start.
How CEL can help (for OEMs)
CEL provides software board support packages that include access control and authentication to prevent unauthorized access to devices.
Contact Information: RF Team: support@cel.com