Navigating the RED Cybersecurity requirements

Why choosing the correct module ensures EU market success.

The European Union’s Radio Equipment Directive (RED) Delegated Regulation, effective August 1, 2025, introduces mandatory cybersecurity requirements for radio equipment that can be connected to the Internet and sold in the EU market. These rules, outlined in articles 3.3 (d), (e), and (f), aim to protect networks, user data, and prevent fraud in devices like IoT devices, smartphones, and wearables. Non-compliance risks losing access to the EU market, a critical concern for manufacturers. A key factor in fulfilling these requirements is selecting the correct hardware platform with appropriate security features for connectivity products. All u-blox modules are designed with security in mind. This blog explores RED cybersecurity articles, and why the selection of hardware platform is critical. We will exemplify the practical steps to reach compliance using the u-blox IRIS W10 Wi-Fi™ / Bluetooth® / Thread module series. This module series is built on the popular RW612 System-on-Chip (SoC) from NXP Semiconductors.

Understanding the RED Cybersecurity Articles

• Article 3.3 (d) – Network Protection:
  Devices must not harm networks or misuse resources, which could degrade service quality for itself and others in the network.

• Article 3.3 (e) – Personal Data and Privacy Protection:
  Devices must protect personal data and user privacy against breaches. Robust security mechanisms are needed to safeguard sensitive information.
• Article 3.3 (f) – Fraud Prevention:
  This mandates protections against fraudulent activities, particularly for devices handling transactions. Features like secure execution environments are essential.

These requirements apply to all internet-connected radio equipment sold in the EU, making compliance mandatory for market access.

Two Methods to Comply with the RED Cybersecurity Articles

Manufacturers can prove conformity to the articles 3.3 for their product by two different methods. The product can be tested, or the product technical documentation can be presented at a Notified Body appointed by any EU member state. While this method is more expensive and time consuming, many security-focused companies take this route to prove their security posture.

For device manufacturers, who do not want to go through a notified body, EU commission published a set of harmonized standards called “Common security requirements for radio equipment EN 18031”. Part 1 of the document covers the requirements for article 3.3 (d) while part 2 and 3 cover requirements for article 3.3 (e) and (f) respectively. The manufacturer is expected to create proper technical documentation proving their security posture in accordance to Part 1, 2 and 3 of EN 18031 and use this document to self-declare compliance to articles 3.3 (d), (e) and (f). This must be done before the product is placed on the market. Manufacturers are expected to retain this documentation along with the Declaration of Conformity (DoC) for a period of at least 10 years from the date of placing the product on the market. This documentation must be made available to Market Surveillance Authorities at any time during the 10-year period regardless of the product lifetime.

u-blox’s module portfolio uses a combination of the two methods to prove compliance to RED cybersecurity articles. Some of our modules’ technical documentation have been presented to and been approved by a Notified body. While some other modules have been self-declared.

Self-assessment using EN 18031 harmonized standard

The EN 18031 standard has 3 parts. The requirements in part 1 focus on the radio equipment being able to protect its security assets and network assets against common cybersecurity threats. Part 2 requirements focus on the internet-connected devices being able to protect its security and privacy. Part 3 sets requirements on protecting financial and security information stored on the connected device. Not all internet connected products are subjected to all 3 cybersecurity articles of the RED Delegated Act. All device manufacturers must make sure to identify which requirements are applicable for their end-product and design and implement the needed cybersecurity protections. For example, an internet-connected bread toaster, that is placed on the EU market on the 1st of August 2025, must comply with the cybersecurity requirements in the RED regulation. However, it is highly unlikely that the device manufacturer must implement the requirements in Part 3.3 (e) and (f), because connected bread toasters do not usually handle user privacy information or financial transactions.

The requirements in EN 18031 can be broadly listed as follows:

1. Access Control Mechanisms (ACM): The product implements proper control mechanisms to allow entities and users access to network, product security, privacy and financial assets.

2. Authentication Mechanism (AUM):  The product implements proper verification mechanisms to verify that the users are really who they claim before providing access to sensitive information.

3. Secure Update Mechanisms (SUM): The product has methods to update its software after verifying the software’s integrity and authenticity.

4. Secure Storage Mechanisms (SSM): The product has implemented proper protection to store network, security, privacy and financial data in a secure way.

5. Secure Communication Mechanism (SCM): The product communicates to other devices and the network in a secure way using proper cybersecurity.

6. Resilience Mechanism (RLM): The product shall implement resilience mechanisms to mitigate effects of DoS attacks.

7. Network Monitoring Mechanisms (NMM): Products classified as ‘network equipment’ shall monitor for unusual traffic and other indicators for DoS attacks.

8. Traffic Control Mechanisms (TCM): Products that are managing networks, like wireless routers, must have methods to control malicious traffic.

9. Confidential Cryptographic Keys (CCK): The cryptographic keys used for protection in the device must be strong enough to provide sufficient protection against attacks.

10. General Equipment Capabilities (GEC): The manufacturer is expected to ensure that the product is resilient to cybersecurity attacks by limiting, configuring and documenting exposed interfaces/service, ensuring boot integrity, keeping proper documentation of all hardware and software components used in the product and make sure that there are no known exploitable vulnerabilities in their product.

11. Cryptography (CRY): The manufacturer uses best practices for any cybersecurity cryptographic implementations in the device.

12. Logging Mechanism (LGM): The end-product shall use appropriate logging mechanisms while handling data that are related to user privacy and financial information.

13. Deletion Mechanism (DLM): The device shall provide options to delete user data that affects user privacy.

14. User Notification Mechanism (UNM): The device shall provide mechanisms to notify the user when there are any changes in the product that affects the protection of user privacy.

Why the Correct Hardware Matters

Choosing the right hardware is paramount to being able to satisfy all the cybersecurity requirements. The SoC is the core of a connectivity product, integrating processors, memory, and wireless connectivity. Its security capabilities directly impact compliance with RED requirements. A well-chosen SoC offers:

• Powerful processor and larger RAM: Some of the above requirements, like LGM, DLM, UNM, TCM, NMM, and ACM might seem like pure software implementations. But adding these features into the application above and beyond the products existing functionality needs larger RAM and more MCU capability.
• Hardware Security Features: Most of the requirements in AUM, SUM, SSM, and SCM requires that the hardware supports these features. Hardware security accelerators in the chipset and a hardware Root-of-Trust is essential to creating secure products as per RED cybersecurity requirements.
• Streamlined Application Development: Even if the SoC supports all the features, it’s important to have good SDK access so that the application can easily make use of these features. The SoC software team must constantly scan for vulnerabilities and patch them, so applications built on top of this SDK are always free from known vulnerabilities.
• Large memory requirements for futureproofing: Support for firmware updates ensures devices stay secure against new threats. To update the firmware on the device, using a dual-banked solution, the hardware must have memory to store at least two applications simultaneously.

A SoC lacking these features can lead to compliance gaps, requiring costly redesigns or additional hardware. If EU authorities identify compliance gaps, it can lead to heavy penalties and in the worst case, a ban from the EU market. Other unintended consequences of poor choice of hardware include laggy software and poor end-user experience or difficulty in managing vulnerabilities and distributing patches. For engineers and compliance managers, selecting a hardware platform with a robust security posture is a foundational step for EU market success.

^{IRIS-W10 module powered by NXP Semiconductor RW612 SoC can easily comply with the requirements in the RED cybersecurity articles}

How Can IRIS-W10 Help

IRIS-W10 was built ground up with security in mind. The SoC used in the module, NXP Semiconductor’s RW612, can support RED compliance if appropriate features are implemented and enabled. A design based on IRIS-W1 typically includes:

• PSA Certified and SESIP Level 3 SoC
  The SoC comes certified with component level certifications like PSA Certified Level 3 and SESIP Level 3. This makes RW612 one of the most secure SoCs in the market. Customers, in their end-product design, simply need to prove that they have properly enabled the features provided by the SoC to show that they have the needed cybersecurity level in their end-product.
• EdgeLock® security technology 
  NXP’s EdgeLock® technology includes different security features including Secure Boot, Secure Storage and Secure Debug Ports all grounded to the SoC using a Hardware Root-of-Trust. This provides the fundamentals protection needed for the end-products. Secure Boot features in the SoC directly answer the SUM requirements, while the SSM requirements are met by Secure Storage features in the SoC.
• TEE, Tamper detection and TRNG
  TEE (Trusted Execution Environment) based on ARM’s TrustZone-M, tamper detection mechanisms and TRNG (True Random Number Generator) all make sure that applications are very secure during execution. This is essential to meet the requirements in CCK.
• CoreMark® score: 1,000+ and 1.2MB of SRAM
  Adding new security related functionality into the application on top of the existing application is a breeze using IRIS-W1. The SoC has whopping CoreMark score of 1033 with large amounts of RAM.
• Scalable Non-Volatile Memory options:
  IRIS-W10 radio comes pre-certified for EU market. It comes in both 8 MB and 16 MB options allowing developers to easily design and implement secure firmware update mechanisms.
• Hardware Crypto Accelerators
  The SoC also has cryptographic accelerators to speed up complex cryptographic calculations that would otherwise lead to a sluggish software experience.
• SDK maintenance and vulnerability patching:
  Both u-blox and NXP Semiconductors have PSIRT (Product Security Incident Response Team) teams constantly working with evaluating and reporting relevant vulnerabilities. Both teams have responsible disclosure policies in place. MCUXpresso is also a mature and a recognized SDK within the Wi-Fi IoT ecosystem. NXP Semiconductors provides access to a tool, called Vigiles, that helps with identifying vulnerable components in the product.

The RED cybersecurity requirements, effective August 1, 2025, benefit European consumers. But the same requirements can become a critical hurdle for manufacturers targeting the EU market. The hardware platform is a pivotal component, as its security and related features directly address these requirements. All u-blox modules are designed with security in mind and specifically, the IRIS-W10 series powered by the NXP RW612 comes with features that help meet these standards without much effort. By selecting the right connectivity module and following a structured compliance approach, manufacturers can ensure their wireless products remain competitive in the EU market.

Hari Vigneswaran: Senior Product Manager IoT & Cybersecurity,
Product Strategy Short Range Radio, u-blox

Courtesy of u-blox