"Lack of knowledge among companies" – sales ban for untested connected products
31 March 2025, 05:54
When the cybersecurity addition to the Radio Equipment Directive (RED) comes into force on August 1 this year, it will be prohibited to sell connected products within the EU that are not tested and approved according to RED. Despite this, many companies have yet to test their products.
The cybersecurity addition to RED is a central part of the EU's efforts to strengthen protection against cyber threats. Companies affected include most manufacturers, importers, or distributors of connected products within the EU, such as remote-controlled products, industrial electronics, machinery, baby monitors, toys, as well as smart mobiles, watches, bracelets, and other devices that handle personal data or location information.
With only months left, time is running out.
“There is still a lack of knowledge among companies affected by the cybersecurity addition to RED, and many have not tested their products. If this is not done in time, it means they cannot be sold on the European market from August”, says Ted Strandberg, cybersecurity expert at RISE.
Ted Strandberg, cybersecurity expert at RISE.
Companies can have their products tested against the cybersecurity requirements in RED by a notified body, such as RISE. One of those who have done this is the tech company AutoStore.
“We chose to be proactive with testing and contacted RISE because we know they are at the forefront of cybersecurity. Additionally, they had the capacity and expertise to develop a customized solution for our product. This means we are now well-prepared and can focus on developing our product and business without risking getting stuck in regulations”, says Joakim Franzon, Director of Product Compliance at AutoStore.
For more information, contact:
Ted Strandberg, cybersecurity specialist, Security & Transport, RISE ted.strandberg@ri.se, tel +46 724-54 60 93
FACTS:
The need for cyber-secure products has increased, and the cybersecurity addition to RED is a central part of the EU's efforts to strengthen protection against cyber threats. RED imposes security requirements on companies that manufacture, import, or distribute products with radio components.
The cybersecurity addition to the Radio Equipment Directive is referred to as RED 3(3) d, e, f and comes into force on August 1, 2025. It applies to most directly or indirectly connected products that either transmit or receive, such as remote-controlled products, mobiles, smart watches and bracelets, industrial electronics, baby monitors, toys, devices that handle personal data or location information.
Medical devices are completely exempt from the regulations, while products for aviation and road vehicles are exempt from articles 3(3) e and f but not article 3(3) d.