Cybersecurity in the Radio Equipment Directive: VDE Institute supports manufacturers with new test specification and new certification scheme

Until now, the Radio Equipment Directive mainly regulated safety aspects and electromagnetic compatibility of radio equipment. In EU legislation, however, the focus is increasingly shifting towards the topic of cybersecurity. The new EN 18031 series of standards, consisting of EN 18031-1, EN 18031-2 and EN 18031-3, has been officially recognized as a harmonized standard for the Radio Equipment Directive since the end of January 2025 and specifies the requirements of the Radio Equipment Directive with regard to cybersecurity.

However, there are significant restrictions on the presumption of conformity. This does not apply to the following products or circumstances, which means that the involvement of a notified body to issue an EU-type examination certification is mandatory:

• devices that offer the option of not setting or using a password
• children's toys where it is not ensured that only parents or legal guardians exercise access control
• Secure updates do not automatically lead to a presumption of conformity according to Article 3(3)(f) of the Radio Equipment Directive
• The “Rationale” and “Guidance” sections are only supportive and do not establish a presumption of conformity

Manufacturers of internet-enabled radio equipment are thus facing major challenges. From August 1, 2025, affected devices are legally bound to meet these requirements. Manufacturers must carefully check whether their products fully meet the requirements or whether an additional assessment by a notified body is required.

In order to provide manufacturers with further support for the correct declaration for the regulation, the VDE Certification Committee has approved the new “VDE-PB-0036” test specification and thus the new “Cybersecurity-tested” certification scheme. This scheme includes certification according to the EN18031-1,-2 and/or -3 standards. In addition to the certification, a label is issued that can be attached to the product for marketing purposes. This label is valid for one year. If the restriction of the presumption of conformity applies to a product and an EU type examination is required, this can still be provided by the RED/EMC Notified Body of the VDE Testing and Certification Institute on the basis of EN18031.

The “Cybersecurity-tested” certification can also be used to prepare for the Cyber Resilience Act (CRA) (EU) 2024/2847, which sets out binding cybersecurity requirements throughout the EU and will become a prerequisite for CE marking in the future.