Skip to main content

EU Radio Equipment Directive (RED) and EN 18031

Pera Tran

Overview

New EU cybersecurity requirements under RED take effect August 1, 2025. While no changes to Bluetooth specifications are needed, implementers should review the advisory to check alignment with existing Bluetooth security best practices.

Advisory regarding the EU's new Radio Equipment Directive

The cybersecurity requirements of the Radio Equipment Directive (RED 2014/53/EU) will become a mandatory part of the CE Mark in the European Union on 2025, August 1st, and will apply to a wide range of radio equipment, including Bluetooth devices.

These requirements are described in the EN 18031 series of harmonised standards, comprising of 3 specifications published on 2025, January 30, and are mostly related to device security and privacy risk assessment, testing and documentation, including processes to support handling and patching of identified security vulnerabilities.

These aspects are generally outside the scope of the adopted Bluetooth specifications. However, there are cybersecurity requirements in the EN 18031 standards associated with over-the-air data transfers, and the Bluetooth specifications do offer security features that can be enabled to achieve the associated security goals.

While it is the sole responsibility of each device manufacturer to complete the risk assessment based on the standard’s requirements and to fill in the appropriate documentation based on the functionality and intended usage of the device, we highly recommend following all Bluetooth security and privacy best practices in your implementations:

  • Enable the most up-to-date Bluetooth security features.
  • Implement all security recommendations in the Bluetooth Core specification, the Security and Privacy Best Practices Guide, and any other implemented Bluetooth specifications such as GATT profiles which may define their own security requirements and best practices.
  • Avoid support for legacy security protocols and features with known vulnerabilities, as these may require justification via additional documentation.

  • Check your product against public lists of Bluetooth vulnerabilities (e.g., the NIST National Vulnerability Database) and use the latest versions of the Bluetooth software provided by your vendors.

    Disclaimer:

    (This KBA is intended to provide Bluetooth SIG members with helpful information and address frequently asked questions. Governing documents, membership agreements, policies, and other Bluetooth SIG rules and guidelines can be found here.)

Related articles