The EU’s latest directive on radio equipment cybersecurity impacts UC solutions sold in the EU. UC Advanced explores how resellers of UC and connectivity devices in the EU and UK are affected.
The European Union (EU)’s latest addition to the Radio Equipment Directive (RED) 2014/53 mandates that certain types of radio equipment, including many of the wireless devices used in unified communications solutions, upgrade their cybersecurity defences. That means resellers and distributors have a duty to be certain that any new wireless products they sell have built-in capabilities such as DoS protection, encryption, authentication, access controls, network traffic monitoring, and secure storage for example.
The RED Delegated Act (EU 2022/30) came into force for all connected radio equipment sold in the EU, regardless of their origin, on 1 August 2025. Its scope extends to any device which can independently establish an autonomous connection with the Internet (the IP protocol is specified), whether the device actually uses that capability or not.
That includes the smartphones, laptops, tablets, cameras, wireless headsets and network infrastructure equipment (WiFi routers and access points) which are often used by UC solutions, as well as things like consumer IoT products, industrial control systems (ICS), baby monitors and smartwatches.
Prioritise network and data protection
The motivation behind RED DA is to prioritise the protection of company networks, end users and private from cyber threats. To that end the harmonized regulation enforces the essential requirements of the original RED 2014/53/EU directive – namely article 3.3(d) which mandates that radio equipment must not hard the network or its function, nor misuse network resources; 3.3(e) which insists on the incorporation of safeguards to ensure the personal and privacy of the user and subscriber are protected; and 3.3(f) which demands features to protect against fraud.
RED DA establishes three separate standards aligned to those three articles. The first is EN 18031-1 for network protection, designed to ensure that devices prevent harm to network infrastructure, avoid disruptions and mitigate against resource misuse (eg DoS attacks and unauthorized access). Elsewhere EN 18031-2 covers data protection and focusses on safeguarding personal data and user privacy through encryption, robust authentication, and controls against unauthorized access or interception.
Of less relevance to UC solutions is EN 18031-3, because it applies to radio devices that process virtual currencies and associated transactions. As such it’s primarily designed to address the risks of unauthorised payments through the implementation of secure transaction protocols, fraud detection mechanisms and protection against payment system breaches.
Compliance experts such as the BSI Group advise manufacturers to check whether their product falls under the scope of these three standards. If they do, the manufacturer should conduct a compliance gap analysis; implement any necessary changes in design, testing and documentation; and consult with a RED Notified Body to obtain a certificate which demonstrates market compliance.
Onus on manufacturers, but duty for resellers
Inevitably the greater responsibility lies with manufacturers to ensure that their new equipment complies with the new RED DA regulations by establishing conformity through appropriate certification schemes.
But resellers and distributors should also make sure that what they sell complies. If the equipment being sold is judged to present any form of risk, resellers and distributors have a duty not to sell it and should inform the manufacturer and the relevant market surveillance authority. Compliance experts also advise that failure to comply with these requirements could lead to warnings and penalties from the individual state’s relevant supervisory authority, and in the worst case a sales ban and/or prosecution associated with a breach of competition law.
With the deadline for compliance with the EU’s Cyber Reslience Act (CRA) in the pipeline for in 2027 (with some requirements coming into force in 2026), it may be a good idea for manufacturers to prepare for both regulations at the same time.
“The path to Cyber Resilience Act compliance starts now with RED DA – not in 2026,” stated Manual Weber, Lead Embedded Software Architect at technology consulting services firm Zühlke in a recent blog. “Early action means fewer surprises, smoother transitions, and stronger products.”
Crucially, the RED DA directive doesn’t apply to equipment in circulation before 1 August 2025 however, so products already in distribution or with retailers within the EU/EEA prior to this date are not subject to the requirements.
At a Glance: Requirements for UC Resellers
- Applies to all new UC solution components capable of connecting to the Internet.
- Includes wireless network infrastructure and telecommunications equipment as well as end user devices such as smartphones, tablets, laptops, headsets and cameras, regardless of whether or not they use that capability.
- All new UC products manufactured and sold in EU countries after 1 August 2025 must comply (those in circulation before this date are not covered by the directive).
- Resellers and distributors must ensure the new products they sell comply, and have a duty not to sell them if not.
- Legal experts advise that failure to comply could lead to warnings and penalties from individual states’ relevant supervisory authorities, and even sales bans and prosecution under competition laws.