This article is part of our electronics compliance coverage.

- View our Electronics Compliance services page
4 EU markets affected by voluntary suspension
11 Weeks from audit notification to product relisting
3 Articles of RED not assessed in original CE marking

The Context

From 1 August 2025, all radio equipment newly placed on the EU market became subject to cybersecurity requirements under Articles 3.3(d), (e), and (f) of the Radio Equipment Directive (RED 2014/53/EU), activated by Delegated Regulation (EU) 2022/30. Article 3.3(d) requires that radio equipment does not harm the network or misuse network resources. Article 3.3(e) requires protection of personal data and user privacy. Article 3.3(f) requires protection against fraud, particularly for payment-capable devices.

The requirement had been signalled for years and the mandate was not unexpected. But the gap between regulatory awareness and operational implementation was significant for a large number of manufacturers - particularly those whose CE marking process had been established well before August 2025 and was not systematically reviewed when the new requirements entered into force.

What Happened

A consumer electronics brand launched a smart home gateway device across four EU member states in September 2025 - five weeks after the RED cybersecurity requirements entered into force. The product had undergone testing by an accredited laboratory. The Declaration of Conformity was complete and listed the relevant directives: RoHS Directive, EMC Directive, Low Voltage Directive, and the Radio Equipment Directive. The Technical Construction File included the test reports supporting conformity with RED's radio performance and spectrum requirements.

What the Declaration of Conformity did not include was any reference to Articles 3.3(d), (e), or (f) of RED - the cybersecurity provisions that became mandatory on 1 August 2025. The testing that formed the basis of the original CE marking had been completed before the harmonised standards for RED cybersecurity (EN 18031-1/2/3:2024) were published in January 2025, and the documentation had not been updated to address the new requirements before the product launched.

The product's CE marking was technically valid for radio performance, EMC, and LVD - but incomplete for RED cybersecurity. For a product with Wi-Fi and Bluetooth connectivity newly placed on the EU market after 1 August 2025, an incomplete Declaration of Conformity means the CE marking obligation is not fully satisfied.

On a routine documentation audit by a market surveillance authority in one of the four member states, it was identified that the product had not been assessed against Articles 3.3(d)(e)(f) of RED. The authority raised a formal query, requesting evidence of cybersecurity conformity assessment under the harmonised standards EN 18031-1, EN 18031-2, and EN 18031-3.

The Response

The brand initiated a voluntary market suspension across all four EU member states to avoid escalation to a formal withdrawal order. A voluntary suspension, while commercially disruptive, allows the manufacturer to manage the resolution process and relisting timeline. A formal withdrawal order carries significantly heavier documentation obligations, mandatory reporting to the EU Safety Gate rapid alert system, and a more complex reinstatement procedure.

Week 1

Market Surveillance Notification Received

A market surveillance authority in one of the four EU member states formally requested evidence of RED cybersecurity conformity. Voluntary suspension initiated across all four markets to prevent further stock entering the supply chain.

Weeks 1-2

Gap Assessment and Conformity Pathway Scoped

TGC conducted an expedited gap assessment against EN 18031-1 (network protection), EN 18031-2 (privacy and data), and EN 18031-3 (fraud prevention). The gateway's Wi-Fi and Bluetooth interfaces required assessment under all three standards. The gap assessment identified that EN 18031-3 (fraud prevention) required Notified Body involvement rather than self-declaration under Module A.

Weeks 2-7

EN 18031 Assessment Completed

Laboratory testing and Notified Body assessment completed against EN 18031-1/2/3. Several minor non-conformities identified in the firmware's network communication handling required software updates before the full conformity assessment could be signed off.

Weeks 7-9

Technical File Updated and Declaration of Conformity Revised

The Technical Construction File was updated to include the EN 18031 test reports and Notified Body certificate. The Declaration of Conformity was revised to reference Articles 3.3(d)(e)(f) and the harmonised standards under which conformity was assessed.

Weeks 9-11

Relisting Across All Four Markets

Updated documentation submitted to the market surveillance authority that had raised the initial query. Following confirmation, product relisting was processed across all four member states. Total time from notification to relisting: eleven weeks.

The Commercial Impact

Eleven weeks is a significant window for a product that had launched into four markets simultaneously. The direct commercial impact included lost sales revenue across the suspension period, warehouse holding costs for stock that could not be released into the supply chain, disrupted relationships with the distributors who had placed the product on shelf, and the cost of the expedited conformity assessment, Notified Body fees, and firmware update process.

The indirect impact was harder to quantify. The product's launch window - typically the highest-velocity sales period for consumer electronics - was largely consumed by the suspension. The distributors in two of the four markets required written confirmation of the updated compliance status before agreeing to relist the product, adding further timeline complexity. And the cost of the expedited assessment process was approximately three times what a pre-launch RED cybersecurity gap analysis would have cost at the design review stage.

A pre-launch RED cybersecurity gap analysis - mapping the product's radio interfaces against the EN 18031 standards and identifying the Notified Body requirement before submission for testing - would have cost a fraction of the eleven-week suspension, the expedited assessment, and the commercial impact of losing the launch window across four markets.

Why This Pattern Is Repeating

The scenario above is not an isolated incident. The RED cybersecurity requirements created a structural gap for a specific category of manufacturer: those who had invested in CE marking before August 2025, whose products continued to be manufactured and placed on the EU market after that date, and whose compliance review process did not separately address the cybersecurity provisions when the mandatory date arrived.

The common factors across these cases are consistent. The CE marking process was treated as a one-time certification activity rather than a living documentation obligation that requires updating when new requirements enter into force for products already in production. The RED cybersecurity provisions were understood at a regulatory awareness level - the business knew they were coming - but the operational trigger to update existing documentation before continued placement on the market was not systematically managed. And the product's radio functionality - Wi-Fi and Bluetooth, standard in smart home devices - meant all three Article 3.3 sub-provisions applied, including the Notified Body pathway for 3.3(f).

What to Do Now

For manufacturers with connected products - IoT devices, smart home equipment, wearables, connected toys, or any product with radio functionality - that are currently on the EU market or in production for EU launch, the priority actions are:

First, review the Declaration of Conformity for all radio products currently being placed on the EU market. If it does not reference Articles 3.3(d)(e)(f) of RED 2014/53/EU and the EN 18031-1/2/3:2024 harmonised standards, it is incomplete for products placed on the market after 1 August 2025.

Second, assess which conformity module applies to your product - whether self-declaration under Module A is available or whether Notified Body involvement is required. This depends on product functionality and the specific provisions of the EN 18031 standards that apply to your device type. Products with payment functionality, multi-user data environments, or certain network interfaces are more likely to require Notified Body certification.

Third, plan the CRA transition. The Cyber Resilience Act (Regulation EU 2024/2847) will replace the RED cybersecurity requirements on 11 December 2027, expanding the scope from radio equipment to all products with digital elements. The compliance programme built for RED cybersecurity provides a foundation for CRA compliance, but the scope and lifecycle obligations under CRA are more extensive. Building the RED assessment with CRA transition in mind reduces duplication of effort.

Have connected products on the EU market that may not have been assessed against the RED cybersecurity requirements? Our team can run an expedited gap analysis and identify what needs to change before a market surveillance issue arises.

View our Electronics Compliance services ->

Is your CE marking complete for RED cybersecurity?

We assess radio equipment against EN 18031-1/2/3, identify Notified Body requirements, update Declarations of Conformity, and coordinate the full cybersecurity conformity process for EU market re-entry.

Talk to an expert -> Book an expedited audit