The Radio Equipment Directive (RED) establishes a European framework for regulating all equipment that communicates via radio waves. This includes any device using technologies such as Wi-Fi, Bluetooth, LoRaWAN, or cellular networks like 4G and 5G. 

In this context, August 1st 2025, marks a key milestone: from that date onward, the RED’s cybersecurity requirements will become mandatory! Economic operators (including manufacturers, importers and distributors) who fail to comply with these obligations may face sanctions ranging from the withdrawal of their products from the EU market to significant administrative fines, depending on the applicable legislation in each member state. 

This article aims to break down the directive and highlight the key takeaways. If you are behind in your compliance efforts, you will also find guidance here on how to get started! 

RED explained: What you need to know 

Adopted in June 2014, the RED (2014/53/EU) aims to standardize the marketing of radio equipment within the EU. Its primary objective is to ensure that devices that transmit or receive radio waves (such as smartphones and Wi-Fi routers) comply with health, safety, electromagnetic compatibility, and efficient use of the radio spectrum requirements. 

However, it was not until 2022 that cybersecurity was integrated into the RED, nearly eight years after its creation. The introduction of delegated act 2022/30 marked a new phase by adding specific requirements aimed at enhancing the resilience of radio equipment against digital threats. 

Scope of application of RED 

Definition of radio equipment 

According to Article 2.11 of the RED, radio equipment is defined as: 

“An electrical or electronic product that intentionally emits and/or receives radio waves for the purpose of radio communication and/or radio navigation” 

Specifically, this includes any device that uses wireless communication protocols such as Wi-Fi, Bluetooth, Zigbee, LTE, 5G, NFC, or LoRa to transmit or receive data via the radio spectrum. 

These technologies form the basis of many everyday devices, particularly in the fields of home automation and the Internet of Things (IoT). The RED directive therefore covers a very wide range of products. 

Sectors excluded from the scope 

The RED directive does not apply to all radio equipment. Some categories are explicitly excluded from its scope, particularly for reasons of sovereignty, specific regulatory frameworks, or usage contexts. 

Sectors subject to their own regulations: 

• Marine equipment: excluded are devices already covered by the Marine Equipment Directive (MED) 
• Aeronautical equipment: excluded are devices already regulated under the Common Rules in the Field of Civil Aviation (CRFCA) 
• Automotive equipment: excluded are devices already subject to the New General Safety Regulation (GSR II) 
• Defense and public security: devices used by national authorities within the scope of national defense or any public security activity 

Equipment for non-commercial purposes: 

• Customized research equipment (R&D): tailored for experimental purposes, not intended for commercial use 
• Amateur radio equipment: when not commercially available but built and used by amateurs in a non-commercial setting 

Economic operators subject to the directive and their responsibilities 

The RED directive does not concern only manufacturers of radio equipment. It applies to the entire supply chain, from design to market placement. Each economic operator plays a key role in ensuring product compliance, safety and reliability. To this end, RED defines separate requirements for three main categories of actors: manufacturers, importers and distributors. 

It is important to emphasize that the same company may fulfil several of these roles at once, and that this may vary for the same company from one product range to another. 

Manufacturers 

The manufacturer is on the front line. They are the ones who design, produce or brand an eligible product. They are therefore responsible for most of the actions required to bring products into compliance with RED. They must: 

• Ensure that the product complies with the essential requirements of the RED 
• Ensure that the product remains compliant in the event of modifications 
• When appropriate given the risks, carry out sample testing, keep a test record and keep distributors informed of the test history 
• Carry out or have carried out a conformity assessment 
• Provide an EU declaration of conformity 
• Affix the CE marking 
• Prepare the technical documentation and user instructions and retain them for 10 years 
• Withdraw or even recall a product from the market in case of non-compliance 
• Communicate with the authorities in the event of non-compliance or upon request 

Importers 

When a product is manufactured outside the EU, the importer is responsible for transporting it from its country of origin to the EU. The importer becomes responsible for its compliance when it enters the European market. The importer must: 

• When appropriate given the risks, perform sample testing, maintain a record of the tests and inform distributors of the test history 
• Ensure that product storage and transport conditions do not compromise compliance 
• Verify that the manufacturer has used an approved certification method 
• Check for the presence of the CE marking 
• Ensure that the technical documentation, declaration of conformity and user instructions are compliant, and retain a copy for 10 years 
• Withdraw or recall a product from the market in case of non-compliance 
• Communicate with the manufacturer and relevant authorities in case of identified non-compliance or upon request 

Distributors 

The distributors is the operator who makes the product available on the market to the customer or end user. They have a duty of care regarding the work carried out upstream by the manufacturer and importer. They must: 

• Ensure that storage and transport conditions do not compromise product compliance 
• Verify the presence of the CE marking and the availability of an EU declaration of conformity 
• Ensure that the technical documentation and user instructions are compliant 
• Withdraw or recall a product from the market in case of non-compliance 
• Communicate with the manufacturer, importer and competent authorities in case of identified non-compliance or upon request 

Key cybersecurity requirements under RED 

In 2022, RED introduced 4 essential cybersecurity requirements. These requirements are subject to eligibility criteria based on the characteristics of the product and are therefore not applicable to all devices. Rather than prescribing a fixed list of security measures to implement, the requirements represent broader security concepts to be integrated into product design. 

Network security 

Eligibility criteria: Applies to all devices connected to the Internet, either directly or indirectly. These measures are designed to prevent such devices from compromising network stability or performance. 

Cyber requirements: On the one hand, equipment must be designed to use the radio spectrum efficiently, without causing harmful interference. This ensures seamless coexistence between different devices without interference or disruption. On the other hand, they must not be capable of degrading, disrupting or hijacking network operations. 

Protection of personal data 

Eligibility criteria: Applies only to equipment that processes personal data. It aims to ensure user privacy. 

Cyber requirements: Devices must incorporate data protection mechanisms such as encryption to prevent unauthorized access. This involves securing information not only in transit but also during storage. 

Protection against fraudulent use 

Eligibility criteria: Specifically applies to equipment involved in money transfers, such as payment terminals or certain smartphones. This aims to limit the risk of fraud via this equipment. 

Cyber requirements: The regulation requires the integration of anti-fraud features, without prescribing a single solution. Among the possible approaches, multi-factor authentication (MFA) can be an effective measure, adding an extra layer of security during transactions. However, other mechanisms may also be considered depending on the context of use and the level of risk identified. 

Software authenticity 

Eligibility criteria: Applies to all equipment. The goal is to prevent the installation or execution of unauthorized software on a given device. 

Cyber requirements: Implement features that verify the software and hardware combination prior to any installation. This may include secure boot, signature/certificate verification, hash checking or any other method ensuring authenticity. 

Steps to ensure compliance with RED 

Methods for ensuring compliance 

Compliance with RED directive can quickly become a complex exercise, particularly when it comes to identifying the applicable cybersecurity requirements. To this end, CENELEC published RED related harmonized standard EN 18031 in early 2025. This standard clarifies the requirements and provides an official framework for RED compliance. 

However, it is important to emphasize that the use of EN 18031 is not mandatory. Certifying a product as compliant with EN 18031 is only one of the ways to achieve conformity with RED. A decision tree provided by RED allows for determining (depending on the product), which conformity assessment method is permitted. One of these methods is self-assessment, meaning a self-evaluation of compliance with the essential requirements, provided that the technical measures implemented and the associated justifications are thoroughly documented. 

However, these tools (EN 18031 and decision trees), although very useful remain complex to implement due to a margin for interpretation left on some aspects.

Standard procedure for manufacturers 

Based on Wavestone’s experience in cybersecurity compliance projects related to regulations and more specifically regulations targeting products, we offer a framework structured around 10 key steps: 

1. Inventory: Conduct an inventory of radio equipment marketed in the EU that does not fall under excluded sectors 
2. Requirements: Apply product specific eligibility criteria to identify the applicable essential requirements  
3. Strategy: Use the decision tree to identify possible certification methods and validate the chosen strategy for each product based on risk 
4. Framework: Specify (EN 18031) or interpret (legal text) the applicable framework by translating it into concrete, auditable security control points 
5. Gaps: Compare the current state of products and processes against the control points of the chosen framework to develop a remediation plan 
6. Remediation: Implement the remediation plan at both the product and cross-functional levels to ensure long-term compliance 
7. Documentation: Document and justify the decisions made and actions taken with respect to RED and/or EN 18031 requirements 
8. Instructions: Document best usage practices and safety instructions to ensure operation in compliance with the requirements 
9. Self-assessment / Third-party certification: Conduct a self-assessment or an audit via a certification body depending on the chosen strategy 
10. Communication: Affix the CE marking and liaise with authorities and other involved economic operators 

Positioning of RED within the cybersecurity regulatory framework for connected products 

The RED directive and the Cyber Resilience Act (CRA) clearly operate within a shared regulatory domain. For readers not yet familiar with the CRA a detailed analysis is available here. The scope of application of the RED is included in the CRA and the essential requirements of the CRA go beyond what is established by the RED. In this sense, compliance with the CRA implies compliance with the RED. As the CRA is set to become fully applicable in December 2027, there are ongoing discussions at the European level regarding the possibility that RED’s cybersecurity requirements may only remain in force until that date, with the CRA subsequently taking over. While such a transition would indeed be coherent, no official communication has been issued to that effect as of today. 

Nevertheless, achieving compliance with the RED as of now enables companies to effectively prepare for the implementation of the CRA. Both regulatory frameworks are based on similar compliance approaches and the harmonised standards for the CRA are currently being drafted by CENELEC, the same body that developed EN 18031, the harmonised standard under the RED.  

While RED compliance will become mandatory as of August 2025, it should also be viewed as a strategic opportunity to prepare for the CRA and future European regulatory requirements concerning product cybersecurity. 

Cet article ​​Radio Equipment Directive: A first step toward securing European connected products​ est apparu en premier sur RiskInsight.

OT Probes: A tool for monitoring industrial networks 

Figure 1: Listening to the network to assess and detect 

A detection probe is a piece of equipment, virtual or physical, connected to the information system (IS) in order to map and monitor it. It consists of sensors distributed across the network to collect data. And typically, a central console to aggregate, correlate and analyse this data. Probes for industrial environments – which we will refer to simply as OT probes here – are characterized by their passive, non-invasive listening on the network, and their understanding of industrial protocols and behaviour. Many players are present on the market, you can find our market overview here: https://www.riskinsight-wavestone.com/2021/03/les-sondes-de-detection-en-milieu-industriel-notre-vision-du-marche/  

All their probe solutions work on the same principle: network traffic is collected using flow duplication (SPAN, ERSPAN …) or physical duplicator like taps, etc. Packets are inspected in real time to provide several types of data: flow inventory and mapping, asset and vulnerability management, and finally anomaly and incident detection. 

This variety of possible use cases of these data and the types of users involved (operational and business team, cybersecurity team, etc.) is what makes OT probes so popular.  

However, procuring and deploying these solutions are costly. The organisation must have a clear understanding of their needs, a view of potential users and the exact added value required before embarking on such a project. 

Let’s take two very different examples 

Imagine two companies are considering deploying OT probes on their industrial sites.  

1st Company: WavePetro 

WavePetro is a company with a large sensitive site, which has a good level of cybersecurity maturity, as well as a segmented architecture. The company wants to deploy OT probes to be compliant with regulations and to improve its detection capabilities. 

Considering its architecture and detection requirements, numerous listening points will be needed on the site. WavePetro can rely on its local teams for expertise and site knowledge to support this complexity. 

2nd Company: RenewStone 

RenewStone has numerous scattered and unmanned small sites with different cybersecurity maturity levels. The sites are connected to central Group infrastructure. 
The company wants to deploy OT probes to gain visibility on its sites using inventory and vulnerability management features.  

With this configuration, RenewStone needs to standardize a turnkey OT probe roll-out and run service with as little local complexity as possible.  

Figure 2: 2 companies, 2 reasons to deploy OT probes, 2 implementation plans 

What is required for a successful roll-out? 

Although these two companies have different drivers and maturities, they will go through the same 5 key stages, albeit with different approaches.  

1.Perform a Proof of Concept 

Let’s start with the first step: the proof of concept. The objective for both companies is to test the feasibility and challenge the value this tool brings to the organisation. 

While WavePetro have to validate feasibility on a reduced perimeter in the factory, RenewStone has to validate OT probe added value validation on few different sites. 

The PoC is key in identifying what can be valuable for both companies. To get the most of it, it is important to: 

• Adapt vendors selection to your needs: The market is quite diversified between pure players, those specializing in industry or extending their IT solutions …  
  Do I want strong detection capabilities? Do I want a managed service? Do I want a unified solution for IT and OT?  
• Select the PoC scope: Identify a representative scope with resources to test on so that results can be reproduced at scale.  
• Draft a target architecture before the PoC: This allows to test an architecture that will be representative of what would be deployed at scale, in order to validate the tests carried out. 

PoC is an essential step to ensure that the tool provides value to your company, but also to be able to convince businesses to deploy especially when not constrained by regulations. 

2.Build the associated operating model  

Even from the early stages, before rollouts, it is important to remember that the end goal of the probes deployment will be to get value from its operation. To be able to do so, it is essential to: 

• Define an operating model for handling alerts, managing the inventory and managing the probes themselves. While WavePetro can have an operating model heavily relying on local knowledge and expertise, RenewStone must build a central operation model to include group teams such as SOC, OT security, network, infrastructure and so on. 
• Decide whether to call on a third party or manage your probes in-house: Few vendors also propose managed service, so you would need to create your own model, which could also rely – wholly or partly – on externalization. 
• Create a RACI: Considering the different use cases and the number of players involved in using or maintaining probes, a RACI is key to ensuring that all stakeholders are involved. 

This stage must be addressed upstream to facilitate the next steps. 

3.Prepare the roll-out  

Once the first step has demonstrated the added value of a probe and their operating model has been defined, let’s prepare for the roll-out. You need to define the final target: 

• Where you will deploy: Especially if you have many diverse sites, like RenewStone, you need to be precise on, and prioritize, the scope: It will not be possible to deploy all sites at the same time. 
• When you will deploy: Work on budget estimates, even if not accurate, as soon as possible so that sites are able to plan a roll-out on the following year. Probes are an expensive solution, not only in terms of hardware and licensing, but also in terms of the resources required to deploy and operate them. 
• How you will deploy: In any case, you need to work on a standard architecture blueprint. But especially if you have many sites to deploy or very limited local resources, you should work on building a packaged service offer to deploy.  

This preparation part is key to avoid wasting time with deployments and guarantee their success. 

4.Deploy ! 

Let’s start deploying… The motto is the same for both companies: Start small and grow.  
The difference lies in the scale:  

• Gradually roll out across the site for WavePetro: It will take some time to be able to listen everywhere effectively. Focus on the expected data to prioritize where to place the probe at first and where to listen to the network. 
• Learn and improve from one roll-out to the next for RenewStone: Rollouts are centralized and more standardized, so teams will learn and improve from one roll-out to the next. There should be a first ring of roll-out that is comprised of representative sites to test and improve the deployment model on.  
• Include change management: in all cases, the deployment of a new tool must absolutely include awareness-raising and training if probes are to find their users. 

Deploying OT probes can be a long and tedious process, but do not get discouraged, because there is still one big step left! 

5.Fine-tune OT probe console 

A probe roll-out is not a “1-and-done” kind of project. This is a tool for continuous improvement and needs to learn to deliver value. You should therefore dedicate time to: 

• Fine-tune OT Probes dashboard: Take time to improve the detection model (whitelist some behaviors, prioritize sensitive assets …), the automatic asset inventory and mapping (enrich inventory, import data, tag VLANs …), and so on. This fine-tuning needs to be done by someone with site-specific knowledge.  
• Integrate with other technologies: You can integrate OT probes consoles with your other solutions and tools such as the SIEM, firewalls or CMDBs to make the most of the data collected by the probes. 
• Try adding features: once you have gained some maturity over the solution, you can go even further with the features available like performing active queries to enrich the inventory and go even further with the features available. 

Fine-tuning enables the solution to reduce the amount of data it retrieves, so that it can focus on security data and alerts that will bring value to your company and its security level. 

Figure 3: Takeaways from 5 key steps towards an OT probes service 

Conclusion 

These 2 examples have taught us a lot about OT probes, and the many challenges involved in deploying and using them. If tomorrow, I were facing a customer wondering what to do with this OT Probe project on his roadmap, I would pick out 3 main elements: 

Figure 4: The 3 keys to a successful probe project 

Before deploying: Is it worth it ? 

Without clearly identified use cases and defined objectives, you may end up with probes providing unused or no real added value information. OT probes are expensive, both financially and in terms of time. You need to make sure they are worth it, and then gives you the means to fully exploit them. 

To do this, take the time to evaluate the quality and value of the information provided by the OT probes with your different teams (cybersecurity, operations, business…). 

Start small and grow 

Don’t be afraid to start small and grow progressively, whether that is in the number of monitored sites, assets or use cases. 

The long-term operation of OT probes is complex and builds over deployments. Take the time to take care of the solution adoption: if you want teams to use the solution, train them and demonstrate OT probes value! 

Rely on continuous improvement 

As for any robust cybersecurity process, continuous improvement should be at its core. Cyber threats are constantly evolving, from attacker techniques to OT exposure due to process digitalization. 

In parallel OT Probes can provide a wide of capabilities from incident detection to cartography, vulnerability management and even more yet to be released by editors. 

Focus first on capabilities that reduce your OT risks, progressively improving the services as it gains maturity! 

Cet article Detection probes for OT : The keys to a successful deployment est apparu en premier sur RiskInsight.

In a few words, if you either manufacture, import or resell a product with digital elements, you will surely be affected by the CRA, and need to ensure compliance. This article is intended to shed light on: What does this regulation entail? Who is affected? How can compliance be achieved? 

What is the cyber resilience act and what does it entail?   

To understand the necessity of the Cyber Resilience Act, it’s crucial to consider the broader context of cybersecurity in Europe. The CRA is an ambitious regulation designed to ensure the security of EU citizens by addressing the currently observed low levels of cybersecurity in products with digital elements through a European Union policy intervention. In response, comprehensive studies focusing on the cybersecurity of digital products were conducted, leading to the proposal of legislation defining the obligations for the whole products supply chain actors, from manufacturers to distributors.  

Wavestone’s involvement in this process underscores its commitment to enhancing cybersecurity standards. We participated in an in-depth exploratory study commissioned by the EU, engaging with a broad spectrum of stakeholders involved to varying degrees in the products ecosystem, including national authorities, EU bodies, hardware and software manufacturers, trade associations, consumer organizations, researchers, academia, and cybersecurity professionals.  

Through Wavestone’s position as a global, and particularly European leader in the field of cybersecurity, several interviews, focus groups and workshops were conducted.  Valuable insights were gathered from a wide range of different interlocutors, providing a comprehensive view that takes into account the perspectives of all stakeholders and allowed the foundation for the development of the CRA. 

Definition and Scope 

The Cyber Resilience Act is a legislative proposal defining the obligations of manufacturers, importers, and distributors of products containing digital elements marketed in the EU, all of which must bear the CE mark across all sectors. As defined in the regulation, this includes “any software or hardware product and its remote data processing solutions, encompassing components that can be marketed separately”. The regulation’s aim is not only to secure standalone products but also to ensure the security of data transmission chains and central infrastructures through the application of this standard. 

To this notion of product is added a notion of criticality, therefore the CRA differentiates two types of products: products with digital elements and critical products with digital elements. As detailed below in “Checklist for CRA compliance”, it will affect how compliance can be achieved. 

A few examples of products with digital elements include consumer products, smarts cities and non-essential software. Critical products with digital elements include for example industrial control systems and firewalls. The detailed list of concerned products can be found in the regulation’s annexes. 

However, as is detailed below in “A complex ecosystem”, the CRA does not apply universally; products in some specific sectors do not have to comply to the requirements 

Stakeholders and Responsibilities 

The CRA impacts the entire lifecycle of digital products, from development by manufacturers, importers, distributers to the final consumer, but also the vulnerability management from conception to the product end-life, through a share responsibility. 

Essential Requirements 

As said earlier, the CRA’s objective is to allow a sufficient level of cybersecurity in products with digital elements. To do so, it introduces essential requirements built on three pillars: 

• Product Security: Ensuring products are designed, developed, and manufactured to meet appropriate cybersecurity levels and are free from known exploitable vulnerabilities. 
• User Documentation: Providing documentation to ensure safe use from commissioning to end of life. 
• Vulnerability Management: Identifying and documenting vulnerabilities, conducting regular security tests, and implementing a vulnerability disclosure policy. 

In the event of non-compliance with the essential requirements, sanctions may be applied on any of the three stakeholders. Like GDPR, each Member State shall determine the penalties applicable to infringements of this Regulation. Penalties are based on the company’s annual turnover and the severity of the infraction, with fines reaching up to 15 million euros or 2.5% of the total worldwide annual turnover for significant breaches.  

How to achieve compliance with the CRA? 

Timeline of the CRA 

The CRA has been a long-term project, with almost 10 years from identification of the need to application, reflecting the complexity of establishing comprehensive cybersecurity regulations: 

Businesses have until the 2026 to achieve compliance, with interim obligations. Similar requirements can be found in other regulations, such as NIS2, but contrary to other regulations, the CRA does not need a national transposition. The CRA was passed by the European Parliament in March 2024, and it is awaiting a vote by the European Council to become a law. 

A complex ecosystem 

One of the major concerns raised during the preparation of the Cyber Resilience Act was how to navigate the multitude of existing regulations and achieve regulatory harmony, particularly in sectors where safety, privacy, and cybersecurity standards intersect.  

The CRA aims to foster interoperability by aligning with the general product safety framework, the Cyber Security Act’s requirements for ICT products, processes, and services, and the CE marking standards for European compliance. 

To streamline compliance, the CRA includes presumptions of conformity with existing regulations such as the RED Directive, the AI Act, and certain sector-specific rules.  

However, the CRA does not apply universally; some sectors, such as medical, aviation, and automotive, are already governed by established regulations and are thus exempt from the CRA’s provisions. 

Checklist for CRA compliance 

Compliance with the CRA involves a thorough understanding of the regulation’s core text and two annexes, which detail: the list of concerned products, essential requirements, the obligations for manufacturers, importers, and distributors and national competent authorities and sanctions.  

The certification process varies based on product criticality: 

• For non-critical products : a self-assessment is necessary 
• For critical products  : third-party assessment is necessary, meaning the product compliance to the CRA will be assessed by a certified entity. At the time of writing this article, the exact certification schemes have yet to be specified but in France, the CESTI certification is in discussion.  

Five main checkpoints are to be considered to achieve compliance:  

1. Legislative Gap Analysis: Identify discrepancies between current practices and the requirements of the CRA by reviewing existing cybersecurity policies, processes, and controls to pinpoint areas needing improvement. 
2. Product Security Assessment: Conduct thorough assessments to ensure product identification and security.  
3. User Instructions Update: Provide clear and comprehensive user documentation by ensuring that all products are accompanied by documentation in adequation with the regulation standards. 
4. Vulnerability Management: Set up a process for identifying and sharing vulnerabilities. 
5. Internal Organization Review: Implement a permanent procedure to ensure compliance, covering the above-mentioned key points and enforce a watch on product or legislation changes that may imply new gaps to remediate.

In conclusion, the Cyber Resilience Act represents a comprehensive framework to enhance the cybersecurity of digital products within the EU. Compliance with this legislation requires thorough preparation. For businesses, adhering to the CRA is not just a legal obligation but also an opportunity to enhance their standing in a market increasingly aware of cybersecurity issues.  

Cet article Cyber Resilience Act: A revolution redefining product security and transforming the ecosystem est apparu en premier sur RiskInsight.