As connectivity accelerates, so do the risks. The European Commission’s new Implementing Decision (EU) 2025/138, dated 28 January 2025, marks a significant upgrade in cybersecurity standards for radio equipment under Directive 2014/53/EU. This decisive move refines the harmonised standards to ensure that devices—from everyday internet-connected radios to those processing virtual money—meet stringent security requirements.
Revamping Standards for a Secure Future
The decision updates the existing framework by incorporating revised harmonised standards—EN 18031-1:2024, EN 18031-2:2024, and EN 18031-3:2024—which now include clearer restrictions. According to the new mandate, parts of these standards, such as the “rationale” and “guidance” sections, serve only as advisory notes and “do not confer a presumption of conformity” on their own. This ensures that only devices meeting the full technical specifications can claim compliance.
No Room for Default Weaknesses
A key element of the new decision targets default security settings. The standards specifically state that if a device’s “clauses 6.2.5.1 and 6.2.5.2” allow users to bypass password creation, the relevant authentication risks will remain unaddressed. In essence, manufacturers can no longer offer the option for users to operate without setting a secure password—much like leaving your door wide open in a busy neighborhood.
Stricter Measures for Vulnerable Categories
For products designed for children—such as toys or childcare radio equipment—the updated standards stress the necessity of robust parental or guardian controls. If these controls are not properly implemented, the devices will fail to meet the essential cybersecurity requirements laid out in Directive 2014/53/EU. This measure aims to ensure that vulnerable users receive an extra layer of protection against unauthorized access.
Securing Digital Transactions
The new requirements extend to radio equipment that processes virtual money or monetary value. Relying solely on digital signatures, secure communications, or access controls isn’t enough. The decision emphasizes a multi-faceted security strategy, underlining that no single method can adequately address the authentication risks associated with financial transactions.
What It Means for the ICT Industry
For professionals in testing, certification, and digital marketing within the ICT industry, this decision is both a challenge and an opportunity. Manufacturers must review and update their products to comply with these enhanced security measures, while testing labs are called upon to rigorously validate compliance. As the decision states, compliance “confers a presumption of conformity” only from the publication of these standards in the Official Journal of the European Union—setting a clear timeline and benchmark for industry-wide adherence
