Cybersecurity: Requirements for Device Manufacturers for CE Marking
The cyber security extension of the Radio Equipment Directive (RED) will come into force in August 2025. The RED stipulates that radio equipment must fulfil certain requirements in order to receive the CE marking, which certifies its conformity with EU safety, health and environmental standards.
These new requirements apply to readers, printers and labeling machines.
Such a regulation for a wide range of devices is unique and therefore of great importance. The EU Commission has adopted corresponding legal acts. The EU’s new cybersecurity requirements affect component and device manufacturers alike and entail specific requirements and obligations.
Together with the Federal Office for Information Security (BSI), the Federal Minister of the Interior and Community (BMI) recently presented the Federal Status Report on Cybercrime for 2023 and clearly communicated that cybercrime must be tackled with greater efforts. The study reports a 28 percent increase in cybercrime within the study period.
Interview with Olaf Wilmsmeier
1. What specific measures must component and device manufacturers take to fulfil the new cybersecurity requirements?
In the future, component and device manufacturers must ensure that their products meet the new cybersecurity requirements in order to be CE-compliant. The IoT and increasing digitalization have made this development necessary.
This means that you need to start reviewing your product range today with regard to the new requirements. You need to identify and close any security gaps in order to make cyber attacks more difficult or prevent them. This also includes the comprehensive documentation of this process.
Device manufacturers should not underestimate the time required for this process. The time available for implementation is certainly already very limited, especially if software or even hardware changes have to be made.

Olaf Wilmsmeier represents the AIM Association in Brussels and is an independent consultant specializing in Auto-ID and digitalization. He brings around 25 years of professional experience in the field of mechanical engineering and automation technology to his work.
A Wide Range of Devices
“One problem is that it is difficult to specify these standards clearly for all use cases – a clear yes / no criterion. For example, how can you define concrete specifications for a password today that will still be valid in a year’s time? Cybersecurity requirements change relatively quickly.
Furthermore, the range of devices and use cases affected by the RED extension is very broad. Therefore, a process-oriented approach is pursued instead, which allows the implementation to be checked at the time of the CE declaration of conformity against the current status of technology and the use case.”
A Wide Range of Devices
“One problem is that it is difficult to specify these standards clearly for all use cases – a clear yes / no criterion. For example, how can you define concrete specifications for a password today that will still be valid in a year’s time? Cybersecurity requirements change relatively quickly.
Furthermore, the range of devices and use cases affected by the RED extension is very broad. Therefore, a process-oriented approach is pursued instead, which allows the implementation to be checked at the time of the CE declaration of conformity against the current status of technology and the use case.”

Olaf Wilmsmeier represents the AIM Association in Brussels and is an independent consultant specializing in Auto-ID and digitalization. He brings around 25 years of professional experience in the field of mechanical engineering and automation technology to his work.
Motivation of the EU
2. Why is the RED being expanded with regard to cyber security? What is the EU’s motivation for taking action against cybercrime?
Three new sections have been added to Article 3(3) of the Radio Equipment Directive on the subject of cybersecurity. The EU Commission is pushing ahead with this extension for several reasons.
Firstly, the increasing networking and digitalization of devices has led to increased vulnerability to cyber attacks. These attacks can not only cause considerable economic damage, but also jeopardize the security and privacy of users.
Secondly, by extending the RED, the EU Commission wants to ensure that all radio equipment placed on the European market offers a high level of cyber security. This is necessary in order to strengthen consumer confidence in digital technologies and promote a secure digital single market.
The EU Commission’s motivation is therefore to increase the security and reliability of networked devices, ensure consumer protection, and at the same time, improve the competitiveness of European industry in the global market.
By introducing these new requirements, both manufacturers and end users should benefit from improved cyber security.
Requirement of the Radio Equipment Directive (RED) of the EU
- Binding cyber security requirements
- Improvement of network security
- Use of secure components
- Reducing the risk of fraud
- Risk analyses
Which Devices Does the RED Apply To?
3. The RED is crucial for the CE conformity of radio devices. Which specific products are affected by the extension?
The extension of the RED concerns Internet, Connected Radio Equipment. In other words, devices that are internet-enabled and contain radio technology – fall under the RED. This also affects Auto ID products and sensors. The Radio Equipment Directive (RED) regulates a large number of devices that use radio technologies.
These include RFID readers, all WLAN-enabled devices such as smartphones, tablets, televisions, access points, devices that communicate via Bluetooth technology, such as barcode scanners that are paired with tablets via Bluetooth, headphones, speakers and keyboards, wireless microphones and hearing aids, wireless systems in vehicles or sensors, various toys and, of course, other IoT devices.
The RED ensures that these devices meet the basic requirements in terms of safety, electromagnetic compatibility and efficient use of the radio frequency spectrum. With the addition of cybersecurity requirements, these devices must also meet appropriate security standards in order to be protected against cyberattacks.
Which Devices Does the RED Apply To?
3. The RED is crucial for the CE conformity of radio devices. Which specific products are affected by the extension?
The extension of the RED concerns Internet, Connected Radio Equipment. In other words, devices that are internet-enabled and contain radio technology – fall under the RED. This also affects Auto ID products and sensors. The Radio Equipment Directive (RED) regulates a large number of devices that use radio technologies.
These include RFID readers, all WLAN-enabled devices such as smartphones, tablets, televisions, access points, devices that communicate via Bluetooth technology, such as barcode scanners that are paired with tablets via Bluetooth, headphones, speakers and keyboards, wireless microphones and hearing aids, wireless systems in vehicles or sensors, various toys and, of course, other IoT devices.
The RED ensures that these devices meet the basic requirements in terms of safety, electromagnetic compatibility and efficient use of the radio frequency spectrum. With the addition of cybersecurity requirements, these devices must also meet appropriate security standards in order to be protected against cyberattacks.
Requirement of the Radio Equipment Directive (RED) of the EU
- Binding cyber security requirements
- Improvement of network security
- Use of secure components
- Reducing the risk of fraud
- Risk analyses

CE Marking
“I strongly urge device manufacturers to start implementation today or at least begin preparing the first steps. Either my products are CE-compliant or they are not. And if they are no longer CE-compliant, then they can no longer be placed on the market in the EU.”
CE Marking
“I strongly urge device manufacturers to start implementation today or at least begin preparing the first steps. Either my products are CE-compliant or they are not. And if they are no longer CE-compliant, then they can no longer be placed on the market in the EU.”

Notified Bodies Support Companies
4. Are there already harmonized standards that clearly define the specific requirements for the products concerned?
Harmonized standards do not yet exist as they are still being developed. This is due to the fact that these standards in this form and to this extent represent a novelty in standardization. There are, of course, already established standards on the subject of cyber security. However, none of the existing standards fully cover the requirements of the RED extension on cyber security.
This means that the industry can currently prepare the conformity test, but there is still no harmonized standard on the basis of which CE conformity itself can be declared. The creation of these harmonized standards is very time-consuming, as it is something completely new in this form.
Industry experts have been working intensively since 2022 to finalize the harmonized standards and have tried to implement all EU requirements. Unfortunately, the current status of the standard must be revised in detail again after consultation with the experts from the EU Commission.
It is therefore unlikely that it will be published as a harmonized standard this year.
Device manufacturers can of course already turn to so-called “notified bodies” that can examine the submitted documents and decide whether the EU requirements have been met.
Notified bodies can officially confirm compliance even without a harmonized standard. This must be done individually for each product and could become a bottleneck due to limited human resources, as experts in this field are rare.