Procurement Pro Digitalisation Wireless cybersecurity legal update impacts design engineers
Digitalisation Featured

Wireless cybersecurity legal update impacts design engineers

  • by
  • 7 February 2026
  • 4 minutes read
  • 1 View
  • 17 minutes ago
Wireless cybersecurity legal update impacts design engineers

A recent legal update by EU regulators – known as the Radio Equipment Directive Delegated Act, or RED DA for short – brought in stringent cybersecurity requirements for any electronic device which connects to the Internet using wireless technology – effective 1st August 2025!

In this article, industry expert, David Pashley, Co-Founder & Managing Director at Direct Insight outlines how RED DA impacts what engineers need to think about in terms of compliance when designing electronic products or systems with wireless functionality – which buyers must also consider when sourcing components.

Readers involved in designing and developing electronic products and embedded systems will no doubt have heard plenty of industry discussion recently around the EU Cyber Resilience Act (CRA). The CRA became law in December 2024 and extends the CE marking scheme by mandating that, from December 2027, all products with digital elements that can be connected to a device or network must adhere to a strict set of rules in their design, documentation, and support before claiming conformance.

In our opinion, developers should view the CRA as an opportunity, not a threat. Many discussions around cybersecurity and the CRA revolve around whether this or that requirement can be rightfully avoided. In one sense, this is understandable, given the time and effort required for implementation. However, as customers increasingly (and rightfully!) demand secure products, surely we should want to demonstrate that we’re meeting that demand, rather than tying ourselves in knots to avoid implementing the most basic forms of security?

RED DA – effective 1st August 2025

But even ahead of the December 2027 deadline for CRA-compliance, another recent legal update by EU regulators has brought in stringent cybersecurity requirements for any electronic device which connects to the Internet “directly or via any other equipment” using any form of wireless technology.

Known as the Radio Equipment Directive Delegated Act (2022/30/EU), or RED DA for short, the new legislation takes many of the cybersecurity requirements of the CRA (which enter into force in 2027), and makes them immediately effective for many wireless devices – giving its provisions force of law by amending the 2014 Radio Equipment Directive – and thereby preventing CE marking, or shipping into the EU supply chain, of any product which fails to declare conformity from 1st August 2025.

Although the 1st August deadline for RED DA-compliance may have been news to some, in fact, as the Delegated Act’s 2022 designation suggests, it’s been around for a while. Originally intended to take effect in August 2024, a delay was granted because of the absence of “harmonised standards” – a set of precisely-stated technical requirements. However, the EN 18031 series of standards was finally ratified in January 2025 – at which point, it became clear that there would be no further extension.

The EN 18031 standard is in three parts, each of which defines cybersecurity requirements for specific overlapping categories of electronic devices. Unlike earlier cybersecurity standards, such as EN 303645 or the UK’s PSTI (Product Security & Telecommunications Infrastructure), the scope of EN 18031 is not restricted to consumer products – all embedded and IoT devices are potentially in scope.

The most impactful section of EN 18031 is Part 1, because its scope is wide: all devices which connect to the Internet via wireless, including ‘indirect’ connections via other equipment. Recent expert interpretation confirms that any passing of information to or from the internet brings a device in-scope – the device-side data does not need to be in internet protocol form, for example. Therefore, even simple information exchange using low-bandwidth connections, such as LPWAN or Bluetooth, via a bridge or local network is not exempt.

EN 18031 Parts 2 and 3 provide, respectively, tighter requirements for devices processing personal, traffic or location data, and for those enabling financial transactions. But only a minority of embedded and IoT systems will fall within the scope of Parts 2 and 3 – and so it is suppliers of products outside of these domains who are likely facing the worst-case scenario of wanting to CE mark, but having not previously considered cybersecurity at all.

The actual security requirements of EN 18031 required from 1st August are not as exacting as those of the Cyber Resilience Act, which enters into force in December 2027. For this reason – and to avoid duplicate compliance requirements – EU legislators have decreed that these RED DA provisions will automatically be dropped from June 2028.

Compliance

So, what are the requirements of EN 18031? Probably the single most impactful stipulation is that devices must be shipped without “known exploitable vulnerabilities”, and subject to secure updates throughout their lifetime. Storage and communication must be secure – and therefore encrypted. And these points need to be properly assessed and documented to show how compliance is achieved.

The standard does allow for the impracticality of achieving some of its requirements in certain use cases – but that doesn’t relieve OEMs of the responsibility to risk assess their product against the standard line-by-line, in order to make a statement of conformity.

Some suppliers are struggling to conform across their product range. The stark reality is that to apply a CE mark to a non-conforming product would be fraudulent – and so many aware-but-unprepared developers were left scrambling to meet the deadline. What proportion of vendors remain unaware is difficult to judge. And vendors taking a ‘relaxed’ attitude to cybersecurity may be called to account by competitors that have committed significant resources to compliance.

It’s hard not to contrast the challenge of facing cybersecurity requirements at short notice with the relative simplicity and lower cost of a more measured approach. Nearly all electronic products – with or without wireless or an Internet connection – will be subject to the provisions of the Cyber Resilience Act in 2027. Easy steps taken by developers today could make both RED DA and CRA-compliance more of a breeze than an approaching storm.

About the author:

David Pashley, Co-Founder & Managing Director, Direct Insight

This article originally appeared in the Nov/Dec issue of Procurement Pro.

Share This Post:

Related Post

Why AI-native procurement platforms are the key to efficiency and strategy
Digitalisation

AI-native procurement platforms are key to efficiency

5 February 2026
The state of play in AI: less grind, more breakthroughs
Digitalisation

The state of play in AI: less grind, more

3 February 2026
Digitalisation

Where is AI really heading?

26 January 2026
Beyond efficiency: procurement's AI imperative
Digitalisation

Beyond efficiency: procurement’s AI imperative

26 January 2026
Singapore leverages governance, deep semiconductor expertise, strong infrastructure, and tariff advantages to attract investment, expand advanced manufacturing, and position itself as a global chip hub.
Featured, Industry Insights

Hotspot: Singapore

31 December 2025
SOS electronic: 30 years of reliability and innovation in the world of electronics
Digitalisation, News

SOS electronic: 30 years of reliability and innovation in

30 December 2025