The European Union (EU) has rapidly evolved into one of the most complex cybersecurity environments in the world, introducing multiple regulations that place stringent requirements on both new and existing connected products. From the Digital Operational Resilience Act (DORA) for financial entities to the Cyber Resilience Act (CRA) covering all products with digital elements, and from the NIS2 Directive for critical sectors to the Radio Equipment Directive (RED), manufacturers and certifying labs are faced with a regulatory “tsunami.” For those dealing with radio equipment, the recent harmonization of the EN 18031 series under the RED further complicates—and potentially streamlines—compliance, depending on how well organizations manage the new requirements.
Below, we break down the landscape, highlight key challenges, and suggest how companies—especially vendors, certifying labs, and existing product teams—can navigate the maze of EU cybersecurity regulations while maintaining market access and competitive advantage. We’ll also show how a solution like CyberPass can simplify the process for all stakeholders involved.
The Rapidly Evolving EU Cyber Policy Landscape
Overlapping Regulations
The EU’s cybersecurity framework now features multiple overlapping regulations, each targeting different industries and aspects of digital operations:
- DORA (Digital Operational Resilience Act):
Primarily for financial entities, effective January 2025. It imposes robust ICT risk management and incident reporting obligations.
- CRA (Cyber Resilience Act):
Applies to all products with digital elements, fully enforceable from December 2027. The CRA mandates “security by design” throughout a product’s lifecycle—spanning development, production, distribution, and post-market support.
- NIS2 Directive:
Extends cybersecurity obligations to critical sectors such as energy, transport, and healthcare. Full compliance is expected by October 2026.
- RED (Radio Equipment Directive):
Now includes a harmonized EN 18031 series (effective August 1, 2025) that sets cybersecurity standards for internet-connected radio equipment. Parts 1, 2, and 3 address network protection, user privacy, and fraud prevention respectively.
This patchwork of regulations, each with its own deadlines and scopes, can overwhelm companies—especially those producing IoT devices or offering solutions to multiple sectors. By 2033, there could be more than 39.6 billion IoT devices worldwide (Statista), each potentially falling under one or more EU regulations depending on its functionality and risk profile.
A key development for radio products is the harmonization of EN 18031. Published in the Official Journal of the EU on January 28, 2025, this standard series grants a presumption of conformity for manufacturers that meet specified requirements. If all restrictions are satisfied, self-declaration becomes possible—eliminating the need for a Notified Body and cutting both time and costs. For instance:
- EN 18031-1 addresses network protection and service integrity for internet-connected radio equipment.
- EN 18031-2 targets devices handling user data (e.g., childcare monitors, wearables) to ensure privacy and data protection.
- EN 18031-3 focuses on radio equipment that processes virtual currencies or monetary values to reduce fraud.
While self-declaration under EN 18031 is an attractive option, failure to meet any restriction means reverting to a full conformity assessment with a Notified Body—an often lengthy and expensive route.
The Case for “Security by Design”
Why It Matters
“Security by design” is the foundational principle of the CRA and a best practice across all EU cybersecurity regulations. It involves embedding robust security features into every stage of product development, from concept to production, to reduce vulnerabilities and ease compliance. This approach also extends to post-market surveillance and updates, ensuring that manufacturers patch newly discovered vulnerabilities quickly.
Given that cybersecurity attacks are escalating—billions of malware attacks per year globally, and data breaches costing companies an average of €4 million per incident—waiting until the product is market-ready to integrate security measures is no longer viable.
New Products vs. Existing Products
- New Products:
For vendors designing brand-new IoT devices, incorporating security by design from the earliest stages is vital. They can leverage harmonized standards like EN 18031, self-declare compliance (if they meet all restrictions), and streamline their path to CE marking.
- Existing Products:
Many manufacturers have devices already in the market. They must now retrofit these devices to comply with evolving EU regulations. That can include firmware updates, improved data encryption, better user authentication, and ongoing vulnerability management. Certifying labs play a pivotal role here, guiding manufacturers through gap assessments and updating technical documentation to align with the new mandates.
Key Challenges for Vendors and Certifying Labs
1. Multiple Regulatory Frameworks:
A single product may need to comply with CRA, DORA (if it intersects with financial data), NIS2 (if it’s deemed critical infrastructure), and RED (if it uses radio frequencies). Labs must keep track of these requirements and vendors must produce detailed documentation for each framework.
2. Time-Consuming Assessments:
Traditional processes for assessing cybersecurity compliance—especially if a Notified Body is involved—can slow down product releases. This is problematic in a market where time-to-market can make or break commercial success.
3. Technical Expertise and Workforce Skills:
The shortage of cybersecurity talent complicates efforts to meet these standards. Vendors and labs need specialized teams to interpret regulations, implement security protocols, and conduct thorough risk assessments.
4. Post-Market Obligations:
Regulations like the CRA demand continuous support, meaning ongoing security patches and updates throughout the product’s lifecycle. Labs and vendors must collaborate long after initial certification.
Practical Solutions for Thriving in a Complex Environment
1. Adopt a “Security by Design” Framework
Vendors should conduct cyber risk assessments early in the development cycle, apply secure coding standards, and plan for continuous updates. This approach meets multiple regulatory expectations simultaneously, whether for CRA or NIS2.
2. Leverage Harmonized Standards
EN 18031 offers a direct path to compliance for radio equipment. Similarly, recognized industry standards like ETSI EN 303 645 (for consumer IoT) or IEC 62443 (for industrial systems) can reduce uncertainty. When self-declaration is feasible, it accelerates market entry and cuts costs.
3. Develop Integrated Compliance Strategies
For companies impacted by both DORA and NIS2, or those spanning multiple industries, a unified compliance framework is essential. This often involves cross-department collaboration (engineering, legal, marketing, etc.) and a centralized cybersecurity governance model that tracks regulatory changes and adapts policies accordingly.
4. Enhance Internal Capabilities and Training
Invest in workforce development. By training engineers and compliance officers on the latest EU directives and harmonized standards, organizations can build internal expertise—often turning compliance into a competitive advantage rather than a burden.
5. Utilize Third-Party Expertise (and Tools Like CyberPass)
Sometimes, external consultants or certification bodies are indispensable. However, a platform like CyberPass can significantly streamline the process for both vendors and certifying labs:
- For Vendors:
CyberPass automates much of the compliance documentation and ensures that each step of the product’s design aligns with EN 18031, CRA, and other relevant standards. This reduces the administrative load and lowers the chance of errors.
- For Certifying Labs:
Labs can integrate CyberPass to simplify audits and expedite the conformity assessment. By having a unified dashboard of product specifications, security measures, and regulatory checkpoints, labs can focus on in-depth testing rather than paperwork. This helps labs manage multiple clients more efficiently, especially when dealing with large volumes of IoT devices.
Final Thoughts: Turning Regulation into Opportunity
Despite the complexity of overlapping EU regulations, businesses can view this environment as an opportunity to differentiate. As more than 39.6 billion IoT devices come online by 2033 (Statista), consumer and enterprise demand for secure products will only grow. By adopting “security by design,” leveraging harmonized standards like EN 18031, and using integrated compliance solutions like CyberPass, vendors, and certifying labs can ensure not only compliance but also market success.
Ultimately, the EU’s “regulatory tsunami” isn’t just about avoiding penalties or meeting minimum standards. It’s about building a more secure, resilient digital ecosystem—one in which products are designed with robust cybersecurity from day one, existing devices are continuously improved, and stakeholders across the supply chain collaborate to keep pace with emerging threats. Through proactive planning, continuous learning, and strategic use of tools and expertise, organizations can ride the wave of EU cybersecurity regulations toward sustainable innovation and trust.
