For inquiries about GlobalPlatform or website assistance, contact secretariat@globalplatform.org.

Back to all Blogs

RED Alert! Preparing for New Cybersecurity Regulations on Connected Devices

By Carlos Serratos, SESIP Ecosystem Adoption WG Chair, GlobalPlatform

The Radio Equipment Directive (RED) has been a cornerstone of European radio equipment legislation for over a decade. It ensures products such as Wi-Fi routers and other connected devices meet stringent safety and electromagnetic compatibility (EMC) requirements around areas such as sensitive spectrum sharing. Recently, however, cybersecurity concerns have taken center stage, reflecting the reality that (almost) everything now connects to the internet.

The European Union (EU) recognized the need to expand the scope of RED to address the growing risks posed by cyberattacks targeting connected devices, culminating in the activation of RED Articles 3.3(d), (e), and (f) through a Delegated Act. These articles specifically address:

  • Protecting networks from cyberattacks (Article 3.3d)
  • Safeguarding user privacy (Article 3.3e)
  • Mitigating financial fraud (Article 3.3f)

With the new RED rules being enforced from August 2025, OEMs of all types of connected devices—from smart TVs to industrial controllers—find themselves racing against the clock to show conformance with the expanding regulations. For OEMs lacking expertise in areas such as secure communication cryptography, this represents a significant challenge. What must they do to obtain the necessary conformance to market their products in Europe? And how do they ensure the components they use in their products are compliant?

A standards-based approach to compliance
To support OEMs on this journey, CENELEC, the European standardization organization, has developed the EN 18031 series of standards to demonstrate conformance with the Delegated Act. In January, the European Commission officially implemented EN 18031 as a harmonized framework. This enables products to be classed as compliant with the new RED cybersecurity requirements if they fully adhere to the EN 18031 standards.

These standards provide OEMs with a roadmap for meeting RED’s cybersecurity obligations, allowing them to comply with the regulation through self-declarations. However, in some cases, OEMs may still need assessments conducted by a third-party Notified Body (NB). Indeed, some may opt for this route to minimize risk and liability.

Streamlining the certification process using SESIP
Help is at hand to make this process easier. This is found in Annex D of EN 18031, which introduces a direct mapping to GlobalPlatform’s SESIP framework. This means OEMs can now use SESIP as evidence of their conformance to RED’s cybersecurity requirements, streamlining the certification and self-assessment process. This marks a pivotal moment for SESIP as a trusted mechanism for demonstrating compliance with European cybersecurity regulations.

It means OEMs can now self-declare that their devices meet RED requirements by using SESIP-compliant components, saving significant time and effort. If they choose third-party assessment, certification bodies might simply verify that the device is built using SESIP-certified components and will not need to retest something already certified.

This approach extends to modularity as well. By integrating SESIP into the RED conformance process, a solid foundation is established for modular compliance. For example, consider a TV with SESIP-compliant modules. Just as an OEM can demonstrate RED compliance to similar TV’s with different dimensions by proving that the TV’s module meets regulatory standards, SESIP’s modularity allows manufacturers to verify security compliance at the module and component level. Instead of testing what has already been tested, they can streamline the conformance process by relying on existing conformance evidence and the verification of proper integration of such functionality in the end device.

Defining a conformance model for future cybersecurity rules
With the new RED directives set to come into force in just a few months, OEMs now have a faster and more efficient path to achieving the CE mark certification—a requirement for market access in the EU. By integrating SESIP into the RED conformance process, OEMs now have a clear pathway for meeting regulatory requirements and ensuring their devices can be safely sold within the EU and beyond.

For OEMs navigating complex regulatory requirements, SESIP offers a reliable, efficient, and future-proof approach to cybersecurity compliance. Its inclusion in RED through EN 18031 also sets a precedent for upcoming regulations such as the Cyber Resilience Act (CRA), which takes effect in December 2027. As security standards evolve, SESIP enables manufacturers to stay ahead, ensuring their devices meet the highest levels of protection—both today and in the future.

Join us at the EU Cyber Acts Conference in Brussels for the IoT Cyber Compliance Day (25 March) to find out more about how the industry can prepare for upcoming cybersecurity regulations.

If you are a media representative, analyst, or conference organizer with a question, please email us at: pressoffice@globalplatform.org

Chat with us
GlobalPlatform
Hey There!

It seems you are using an outdated browser, unfortunately this means that our website will not render properly for you. Update your browser to view this website correctly.

GOOGLE CHROME
DOWNLOAD
FIREFOX
DOWNLOAD
MICROSOFT EDGE
DOWNLOAD