Why the RED 3.3 Directive matters
With the rise of wireless-connected devices, the risks to network security and personal data have also increased. The RED (Radio Equipment Directive) 2014/53/EU, and in particular Delegated Regulation (EU) 2022/30, introduces new cybersecurity obligations for manufacturers of radio equipment.
Starting August 1, 2025, compliance with RED 3.3 will be mandatory to market these products in the European Union.
The goal is clear: ensure that all radio-connected devices are secure by design, protecting users and infrastructure from cyber threats.
What RED 3.3 requires
RED 3.3 applies to products that connect via radio, such as smartphones, IoT devices, wearables, routers, and smart home equipment, and requires manufacturers to:
- Prevent disruptions or interference with communication networks;
- Safeguard the confidentiality of personal data and user communications;
- Prevent unauthorized access or control of the device.
These requirements must be integrated from the design phase and maintained throughout the product’s lifecycle. Some devices will need certification from notified bodies, while others can follow a self-assessment path if they meet harmonized standards.
Which products are covered?
All radio-connected devices are involved, including both consumer and industrial devices. Examples include:
Smartphones & Tablets
Mobile phones, tablets, and portable computers with wireless connectivity.
Routers & Modems
Wi-Fi routers, modems, and access points for home or office use.
Smart Home Devices
Thermostats, bulbs, intercoms, and other connected home equipment.
Wearables & Health Tech
Smartwatches, fitness bands, and connected healthcare devices.
POS & Payment Devices
Terminals and devices used for financial transactions.
IoT & Industrial Sensors
Sensors and devices for smart cities, industry 4.0, and automation.
Manufacturers of embedded devices based on Linux should pay special attention to reinforcing system security by implementing practices such as Secure Boot, encrypted filesystems, and secure update mechanisms.
Products already covered by specific EU sectoral regulations (e.g., medical devices, automotive) are excluded to avoid regulatory overlap.
Penalties and market impact
As of August 1, 2025, non-compliant products will not be allowed on the EU market. It is therefore essential that technical teams start aligning their design, testing, and documentation processes with the new requirements.
Failure to comply may result in:
- Mandatory product recalls
- Sales bans across the EU
- Reputational damage
- Legal liabilities in case of security breaches
Key challenges for developers and Manufacturers
For many companies, the main challenge is technically implementing the security requirements and preparing the required technical documentation.
This includes:
- Performing a cybersecurity risk assessment during design;
- Demonstrating protection against network disruptions
- Adopting best practices for data handling and storage
- Preparing a technical file for certification (if applicable)
Complexity increases in systems using third-party components or open-source firmware.
How Abinsula supports RED 3.3 compliance
Abinsula offers specialized consulting services to support your team in the RED 3.3 compliance process. With our expertise in embedded systems, secure software design, and EU regulation, we help you:
- Identify product lines subject to RED requirements
- Perform risk and gap assessments
- Integrate security principles into your design process
- Prepare the required technical documentation for market access
- Align update and maintenance strategies with regulatory obligations
Whether you’re developing a new IoT device or need to recertify an existing product, Abinsula helps reduce risks and accelerate your path to compliance.
Want to make your connected devices RED 3.3 compliant?
Contact us for a personalized consultation and start your compliance journey today.
Con Abinsula la Sardegna si “tuffa” nell’Internet of Things
