The new RED II EN18031 requirements present manufacturers with new challenges. The ONEKEY platform simplifies the cybersecurity assessments
DUESSELDORF – With the recently published Implementing Decision EU 2025/138, the European Union has introduced new harmonized standards from the EN 18031 series, which clarify the cybersecurity requirements for devices with radio interfaces under the Radio Equipment Directive (RED II). The Duesseldorf-based cybersecurity company ONEKEY offers a comprehensive solution through its Product Cybersecurity & Compliance Platform (OCP), expert consulting services, and specific assessments, enabling manufacturers to check their products for potential security gaps in accordance with the RED standards. This assessment covers everything from the creation and management of a Software Bill of Materials (SBOM) to the mandatory vulnerability management required by RED II, as well as ONEKEY’s Compliance Wizard. The Compliance Wizard combines an automated technical cybersecurity assessment with a virtual assistant for simplified technical product cybersecurity compliance assessment. The resulting documentation helps to meet the EU’s cybersecurity requirements under the various RED standards.
Security for Connected Devices with Wireless Communication
Specifically, the current focus is on the following three areas of the RED 18031 standard*:
• EN 18031-1:2024 (Security for devices with wireless communication connected to the internet; here, both the ONEKEY Product Cybersecurity Platform (OCP) and the consulting services play a key role),
• EN 18031-2:2024 (Security for IoT devices, toys, wearables, and child care communication devices that require special protective measures; primarily a consulting topic),
• EN 18031-3:2024 (Security for devices with wireless communication processing virtual currencies, which are subject to higher security requirements; again, a consulting topic).
With the harmonization of the EN 18031 series, manufacturers can benefit from the presumption of conformity, meaning that their products will be considered compliant with the RED cybersecurity requirements if they fully comply with the relevant standards and provide a self-declaration. This significantly facilitates market access within the EU, provided the standards are fully implemented and evidence of compliance is provided.
“Providing this evidence has become significantly easier with our Product Cybersecurity & Compliance Platform,” explains Jan Wendenburg, CEO of ONEKEY. He outlines his company’s strategy: “We are constantly expanding and updating our automated cybersecurity assessments with new standards. In addition to RED II, these includes IEC62443-4-2, ETSI 303645, the EU Cyber Resilience Act (CRA), and other international standards such as UK PSTI, Singapore CLS, and more.”
Consumers will benefit from the RED harmonisation as the standards improve protection against cyber-attacks, data misuse, and insecure devices. Whether it’s smart doorbells, connected toys, or cryptocurrency wallets – the RED regulations are designed to build more trust in an increasingly digital world, according to ONEKEY.
RED II Assessment According to EN 18031-1/-2/-3 as a Consulting Service
The assessment by ONEKEY experts according to EN 18031-1, -2, and -3 is also available for all companies. It starts with an interactive workshop in which the RED requirements are explained in an understandable way. A structured assessment of the current state, using interviews and questionnaires, then analyzes the company’s current processes, documentation, and software development practices.
The result is a detailed report that highlights existing gaps, i.e., deviations from the standard requirements, and provides concrete recommendations for addressing them. Follow-up consulting services, such as concept design and implementation support, help companies specifically on their way to full RED compliance. Through the combination of technical analysis, interviews with key stakeholders, and focused gap analysis, a clear roadmap for achieving compliance is created.
Background on the Creation of the RED Standards
The Radio Equipment Directive (RED, 2014/53/EU) was first adopted in 2014 and came into effect in 2016, replacing the previous R&TTE Directive (Radio and Telecommunications Terminal Equipment Directive) from 1999. This was an initial step toward creating unified standards for radio and telecommunications equipment. It set requirements for safety, health protection, and electromagnetic compatibility (EMC), and introduced the CE marking as proof of conformity.
After the implementation of RED in 2016, it quickly became clear that digitalization brought new challenges. The explosive spread of IoT devices – from smart thermostats to connected toys – highlighted the vulnerability of these technologies to cyberattacks. In 2019, the European Commission began preparing legal acts to introduce minimum cybersecurity requirements for radio equipment. This process was supported by the adoption of the Cybersecurity Act (EU 2019/881), which created a framework for IT security certification. A significant milestone was the introduction of the Delegated Regulation 2022/30 (RED II), which established specific cybersecurity requirements for radio equipment.
The Implementing Decision EU 2025/138 from early 2025 marks the provisional culmination of these developments. It introduces the harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3, which define specific cybersecurity requirements for different device categories.
* https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=OJ%3AL_202500138
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Further information: ONEKEY GmbH,
Sara Fortmann, Email: sara.fortmann@onekey.com,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Web: www.onekey.com
