Cybersecurity: How organizations can become cyber resilient

Cyber-attacks can cause a lot of nuisance and damage. In the event of a cyber-attack, systems can be shut down, personal data can be exposed or even physically dangerous situations can arise. In the video 'Chain approach cyber security' you can find out how Kiwa helps organizations to be cyber resilient

Receive a quote tailored to your needs

+49 (0) 8341 99726 0 Contact us Get a quote

RELIABLE. COMPLIANT. TRUSTWORTHY.

Why Kiwa?

✓ One-stop-shop: services for OT, IT, and IoT

✓ Independent, objective assessments

✓ Expertise in laws and regulations

✓ Proven quality in testing, inspection, certification and training

✓ Forward-looking vision on cybersecurity

At Kiwa Kaufbeuren, we ensure that your products meet the highest standards for functional safety – through a combination of precise testing, accredited expertise, and global recognition.

Our team supports manufacturers, developers, and system integrators in all phases – from design to testing.

How Kiwa supports manufacturers

Kiwa provides independent, confidential pre-compliance cybersecurity services for radio and connected products, including:

  • IoT Security spot check
  • RED cybersecurity gap assessments (Article 3(3)(d/e/f))
  • Vulnerability analysis and penetration testing
  • Secure design and architecture reviews
  • Support with technical documentation and conformity preparation
  • Clear reporting with findings, severity ratings, and remediation recommendations
  • RED test according to EN 303645

Important note: Kiwa Primara currently provides pre-compliance testing and technical conformity preparation. Formal certification or notified body activities are not part of these services.

Radio Equipment Directive (RED) - Cybersecurity Requirements

Cybersecurity has become a regulatory requirement for connected radio equipment placed on the European market. With the increasing integration of wireless technologies in industrial, consumer, and energy-related products, the Radio Equipment Directive (RED) 2014/53/EU now explicitly addresses cybersecurity risks that may impact networks, users, and personal data.

From 1 August 2025, manufacturers must comply with the cybersecurity provisions of RED Article:

  • 3(3)(d), to ensure network protection;
  • 3(3)(e), to ensure safeguards for the protection of personal data and privacy;
  • 3(3)(f), to ensure protection from fraud.These requirements apply to a wide range of connected radio equipment and directly affect product design, risk management, and technical documentation.

Kiwa supports manufacturers with independent pre-compliance cybersecurity services, helping to identify gaps early and prepare efficiently for conformity assessment.

Why RED Cybersecurity is critical for market access

Modern radio equipment—such as IoT devices, smart meters, industrial wireless systems, and connected consumer products—is increasingly exposed to cybersecurity threats due to permanent connectivity and complex system interfaces.

The significance of the cybersecurity requirements within the Radio Equipment Directive (RED) cannot be overstated, as they are vital for safeguarding the safety, security, and privacy of users of radio equipment across the European Union (EU). RED cybersecurity requirements are intended to ensure that radio equipment is secure by design, reducing risks such as:

  • Unauthorized access to networks and systems
  • Manipulation of device functionality
  • Personal data breaches and privacy violations
  • Misuse of network resources and service disruption

Failure to adequately address these risks can result in market access delays, product recalls, and reputational damage.  

RED Article 3(3): Cybersecurity Requirements

The cybersecurity obligations are defined in RED Article 3(3) and further specified in Commission Delegated Regulation (EU) 2022/30.

Article 3(3)(d): Protection of Networks

Radio equipment must be designed so that it does not harm networks or misuse network resources.

This includes:

  • Preventing unauthorized access to networks
  • Protecting against denial-of-service scenarios
  • Ensuring robust and secure communication mechanisms

Typical focus areas: protocol security, authentication, resilience against network-based attacks.

 

Article 3(3)(e): Protection of personal data and privacy

Radio equipment must incorporate safeguards to protect personal data and user privacy.

This includes:

  • Secure handling of credentials and sensitive data
  • Protection against data leakage and unauthorized access
  • Secure storage and transmission of information

Typical focus areas: encryption, access control, secure firmware architecture, data lifecycle management.

 

Article 3(3)(f): Fraud prevention

Radio equipment must include measures to prevent fraud and misuse.

This includes:

  • Protection against device manipulation
  • Ensuring integrity of software and firmware updates
  • Preventing unauthorized functional changes

Typical focus areas: secure boot, firmware integrity, update mechanisms, tamper resistance  

Which products are affected?

The RED cybersecurity requirements apply to manufacturers placing network-connected radio equipment on the EU market, including:

  • IoT (Internet of Things) and smart home products
  • Industrial wireless and automation systems
  • Smart meters and energy-related devices
  • Wearables and consumer electronics
  • Connected monitoring and sensing equipment
  • Automated Guided Vehicles
  • Charging Stations

Importers and distributors are also required to ensure that only compliant products are made available on the market  

Demonstrating RED Cybersecurity Compliance

Compliance with RED Article 3(3)(d), (e), and (f) is typically demonstrated through:

  • A structured cybersecurity risk assessment
  • Technical documentation addressing the applicable requirements
  • Testing and evaluation aligned with relevant standards, such as:
    • EN 18031 series
    • ETSI cybersecurity standard EN 303 645 for IoT products
    • IEC 62443-4-2 for industrial components and products
  • An EU Declaration of Conformity

Kiwa supports manufacturers throughout this process with clear, traceable, and technically robust evidence.

A structured approach to RED Cybersecurity Readiness

Based on practical project experience, Kiwa recommends an early and structured approach:

  1. Clarification of applicability of RED Article 3(3)(d/e/f)
  2. Cybersecurity risk assessment and threat analysis
  3. Review of product architecture and secure design measures
  4. Targeted pre-compliance cybersecurity testing
  5. Preparation and validation of technical documentation

Early engagement reduces regulatory risk and avoids costly redesigns late in the development cycle

Contact

Do you have questions about your RED cybersecurity readiness or our services?

Preparing for RED cybersecurity requirements does not have to be complex.
Whether you are at an early design stage or approaching market entry, our experts are ready to support you with practical, independent guidance and pre-compliance testing.

Feel free to contact us to discuss your product, regulatory obligations, and next steps toward RED cybersecurity readiness.

Request contact - Kiwa Primara