Getready Compliance Logo
Product has been added to your cart.

Home > Blog

All you need to know about CE Marking

Need answers fast? Book a free 30-min consultation

Is Your Radio Product “Internet-Connected”? How to Know if EN 18031 Applies

Since 1 August 2025, cybersecurity requirements under the Radio Equipment Directive have been mandatory for a specific category of products: internet-connected radio equipment. If your product falls into that category, you must comply with the cybersecurity requirements activated by Delegated Regulation (EU) 2022/30, and the harmonised standard that tells you how to meet them is EN 18031.

The question is: does your product qualify as “internet-connected radio equipment”?

The answer is not always obvious. A guidance document published in February 2026 by the Group of Administrative Co-operation under the RED (ADC RED) sets out seven concrete cases to help manufacturers make this determination. This article walks through those cases in plain language, with the examples provided in the official guidance.

What the RED Delegated Regulation Requires

The RED Delegated Regulation (EU) 2022/30 activates Articles 3(3)(d), (e) and (f) of the Radio Equipment Directive for certain product categories. These articles cover protection against fraud, protection of personal data and privacy, and network protection. Together, they constitute the cybersecurity layer of the RED.

The Delegated Regulation applies to three categories of products: internet-connected radio equipment, radio equipment that can access the internet (such as smartphones and tablets), and wearable radio equipment. This article focuses on the first category, which is the one generating the most questions in practice.

One clarification worth making upfront: the RED Delegated Regulation and the Cyber Resilience Act (EU) 2024/2847 are different frameworks with different scopes.

The CRA is a horizontal regulation covering all products with digital elements.

The RED Delegated Regulation supplements the RED specifically for certain classes of radio equipment.

The two can overlap, but this article deals exclusively with the RED cybersecurity requirements.

The Central Question: What Makes a Product “Internet-Connected”?

Under the Delegated Regulation, radio equipment qualifies as “internet-connected” if it operates a protocol, open or proprietary, that allows communication over the internet. This includes both direct connection to the internet and indirect connection through intermediate equipment.

The phrase “through intermediate equipment” is important. A product does not need to connect to the internet on its own to fall within scope. If it connects to a hub, gateway, or router that in turn connects to the internet, and if the product itself operates a protocol that is capable of internet communication, it qualifies.

The determination is the responsibility of the manufacturer and must be made on a case-by-case basis.

Decision Guide: 7 Cases from the Official Guidance

The ADC RED guidance published in February 2026 provides seven illustrated cases. Here is what each one means in plain language.

Case 1: A radio product connected to the internet via a wired intermediate device

The product has radio functionality and uses a protocol that is capable of internet communication. It connects by wire to an intermediate device, which then connects to the internet. The product is internet-connected radio equipment and falls within scope.

Case 2: A radio product connected to the internet via a wireless intermediate device

Same as Case 1, but the connection to the intermediate device is wireless rather than wired. The product operates an internet-capable protocol and reaches the internet through the intermediate device. It is internet-connected radio equipment and falls within scope. Examples from the guidance: a wireless hotel door lock using NFC, a smart TV using Wi-Fi, a smart tablet using Wi-Fi.

Case 3: A radio product connected directly to the internet

The product has radio functionality and connects to the internet directly, without any intermediate device. It falls within scope. Examples: a tablet using 4G, a smartphone using 5G.

Case 4: A radio product that does not use an internet-capable protocol

The product has radio functionality but does not operate a protocol that allows communication over the internet. On its own, this means it does not qualify as internet-connected radio equipment. However, the manufacturer must perform a risk assessment to confirm that the product cannot communicate with the internet and cannot be accessed from the internet. Examples: an asset tracking device using Sigfox, a temperature sensor using LoRaWAN.

Case 5: A radio product using a short-range protocol, connected to an intermediate device that reaches the internet

The product uses a radio protocol that is not internet-capable, such as NFC, Zigbee, or Bluetooth. It connects to an intermediate device that does connect to the internet. Because the product itself does not operate an internet-capable protocol, it does not qualify as internet-connected radio equipment. Again, the manufacturer must confirm this through a risk assessment. Examples: a standalone door lock using NFC, a standalone light bulb using Zigbee, wireless headphones using Bluetooth.

Case 6: A non-radio product combined with a radio module

A product such as a washing machine, refrigerator, or coffee machine has no radio functionality on its own. It is combined with a Wi-Fi module, which does operate an internet-capable protocol. The combined product qualifies as internet-connected radio equipment and falls within scope. Examples: a smart washing machine, a smart refrigerator, a smart coffee machine, a smart loudspeaker.

Case 7: A radio product with a non-internet-capable protocol, combined with a non-radio product that has a wired internet connection

A product has radio functionality using NFC, which is not an internet-capable protocol. It is combined with a second product that has no radio functionality but does have a LAN port. The combination creates a product that has radio functionality and can communicate over the internet via the LAN connection. The combined product is internet-connected radio equipment and falls within scope. Example: a washing machine with a LAN port combined with an NFC module.

The Grey Zone: When the Risk Assessment Decides

Cases 4 and 5 introduce an important nuance. When a product uses a radio protocol that is not internet-capable, such as LoRaWAN, Sigfox, Zigbee, NFC, or standalone Bluetooth, the starting presumption is that it does not fall within scope. But the manufacturer cannot simply leave it there.

The guidance is explicit: the manufacturer must perform a risk assessment to confirm that the product is not capable of communicating with the internet and cannot be accessed from the internet.

If the risk assessment cannot confirm this with confidence, the product should be treated as in-scope.

In practical terms, this means that even products using short-range or proprietary protocols need to go through a documented scoping exercise before the manufacturer concludes that the cybersecurity requirements do not apply.

If Your Product Is in Scope: What EN 18031 Requires

If your product qualifies as internet-connected radio equipment under any of the cases described above, the cybersecurity requirements of Articles 3(3)(d), (e) and (f) of the RED apply. The harmonised standard that provides a presumption of conformity with these requirements is EN 18031.

EN 18031 is a family of three standards covering internet-connected radio equipment (EN 18031-1), radio equipment with the capability to transmit and receive voice or text (EN 18031-2), and wearable radio equipment (EN 18031-3). For internet-connected radio equipment, EN 18031-1 is the primary applicable standard.

Compliance with EN 18031 does not require third-party certification in most cases. The manufacturer conducts the conformity assessment, produces the technical documentation, and issues the EU Declaration of Conformity. The CE marking for an in-scope product must include reference to the RED cybersecurity requirements alongside the other applicable directives.

RED Cybersecurity and the Cyber Resilience Act: Understanding the Overlap

Manufacturers of connected products are increasingly confronted with both the RED cybersecurity requirements and the Cyber Resilience Act. These are not duplicates of each other, but they do overlap for some product categories.

The CRA applies to all products with digital elements placed on the EU market. The RED Delegated Regulation applies specifically to the radio equipment categories described above. A product that falls within both frameworks must satisfy both, and the technical requirements are not identical. The CRA has a broader scope and a different conformity assessment structure.

Understanding how the two frameworks interact for a specific product is one of the areas where the compliance workload is most commonly underestimated in 2026.

How GetReady Compliance Can Help

Determining whether your product is in scope, understanding what EN 18031 requires for your specific use case, and managing the overlap with the Cyber Resilience Act are tasks that benefit from structured expert support, particularly for manufacturers outside the EU who are approaching these requirements for the first time.

If you are assessing whether your radio product falls under the RED cybersecurity requirements or planning your EN 18031 compliance project, request a quote for a product-specific discussion.

Read this far? The next step is a free 30-min consultation

Category: CE Marking, RED
Tags: EN 18031 cybersecurity RED, internet-connected radio equipment EN 18031, internet-connected radio equipment scope, NFC Zigbee Bluetooth RED scope, radio equipment directive cybersecurity, RED cybersecurity requirements manufacturers, RED Delegated Regulation 2022/30

You Fill This Form.
We Reply Fast.



    Related Contents: