The RED Delegated Act Is Here: What It Means for Connected Device Makers
On August 1, 2025, the EU’s Radio Equipment Directive Delegated Act came into force. Otherwise known as RED DA, the legislation introduced mandatory cybersecurity requirements for a wide range of connected devices.
If your product has radio capabilities and connects to the internet, it now needs to meet defined cybersecurity standards to carry the CE mark in Europe.
The standards you need to meet
| Article | Focus Area | Standard |
|---|---|---|
| 3.3(d) | Network protection - don’t harm the network or enable attacks | EN 18031-1:2024 |
| 3.3(e) | Privacy and data protection - safeguard personal data by design | EN 18031-2:2024 |
| 3.3(f) | Fraud prevention - secure financial transactions and virtual currency | EN 18031-3:2024 |
An important note – cybersecurity must be part of the product design, not added later. Default passwords, unencrypted data, and unsecured connections are no longer acceptable for products entering the EU market.
Who is impacted?
RED DA applies to any wireless or internet-connected device placed on the EU market. For Tria’s OEM customers, this includes:
- IoT sensors and gateways
- Smart home devices
- Industrial controllers and HMIs
- Connected medical equipment
How you can demonstrate compliance
There are two main routes. Self-declaration is the most common – you assess your product against the relevant EN 18031 standards, document how each requirement is met, and issue your own Declaration of Conformity. If your product deviates from any part of the standards, a Notified Body assessment is required instead.
Either way, your technical file needs to be complete and ready for inspection at any time.
The CRA is coming
The EU’s Cyber Resilience Act (CRA) will apply to virtually all products with digital elements from December 2027, taking cybersecurity requirements further still. The standards you meet under RED DA now build directly toward CRA compliance.
How Tria can help
Our team has been certifying radio equipment under RED for over ten years. We also carry out extensive cybersecurity and CRA preparation work, both for our own products and for our customers. That means we can support your compliance from RF performance right through to.
In practice, that includes:
- Technical Q&A during your conformity assessment
- Assistance with technical filings and documentation
- An EN 18031-aligned Control Coverage Matrix to map your product against the standard
- Communication with Notified Bodies on your behalf, if required
For OEMs preparing for both RED DA today and CRA tomorrow, working with Tria streamlines the process and speeds time to market.
Looking to launch a connected product in the EU?
Talk to our team about how Tria’s RED DA Ready modules compliance services can support your next design.